EU's legal roadblock could threaten Irish-based tech firms
While Irish eyes were fixed on the Web Summit's announcement that it is to quit Dublin for Lisbon, an arguably more seismic event took place in Luxembourg yesterday.
The EU's top court looks set to rule that European countries can stop US companies transferring data back to the US from Europe. The verdict, given by the European Court's of Justice's Advocate General, could cause havoc for Irish-based multinational firms such as Facebook, Google and Microsoft.
It could also undermine the Irish data protection commissioner's position as 'lead regulator' of such companies, a position that other EU privacy regulators have been disputing.
Companies such as Facebook have already warned that a subsequent ruling by the European Court Of Justice, if it follows the Advocate General's non-binding opinion, could result in European users getting less online services in future.
But privacy advocates will be jubilant. Organisations such as Digital Rights Ireland have been warning for years that the data protection standards apply in the US are too lax for stricter European standards and jeopardise EU citizens' privacy
Now, it looks like the EU legal establishment agrees.
American spies have almost unfettered access to information about European users of Facebook and other social media, according to the Advocate General. And it's thanks to an illegal transatlantic pact on data-transfers. That accord, called the Safe Harbour agreement, is supposed to assign EU standards to data privacy for EU citizens' information when transferred to the US. But revelations around the mass-harvesting of private data by US authorities clearly demonstrate that the Safe Harbour agreement is not in effect, the court officer said.
EU citizens "who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies," said Yves Bot, the Advocate General. National data privacy watchdogs should therefore have the power, "where appropriate," to suspend the transfer of such data to servers located in the US, including in the case concerning the data of European Facebook users, he said.
The EU-US Safe Harbour data-sharing accord gives U. intelligence services "wide-ranging" access to EU citizens' data that "must be considered to be particularly serious, given the large number of users concerned and the quantities of data transferred," said Bot.
Those factors and "the secret nature" of the US agencies' access to such data via the servers of companies based in the US "make the interference extremely serious."
The EU's top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about US government surveillance activities and mass data collection. An Irish judge last year called on the EU's highest judicial authority to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the US.
Bot criticised the European Commission for having neither "suspended nor adapted" the decision even though "it was aware of shortcomings" all along. The Commission has been in negotiations with the US for two years in a bid to address its concerns with the Safe Harbor decision of too lax sharing of people's personal data.
The EU Commission said it "has been working tirelessly with the US on the final details of a deal in the last weeks and we are confident that we can reach a positive conclusion soon," according to a statement Wednesday.
Austrian privacy activist Max Schrems triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the US social network company has its European base. He alleged that Facebook's Irish unit illegally handed over data to US spies. Schrems had previously filed 22 complaints against the social networking giant.
Facebook, like other tech giants Google and Yahoo!, have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don't willingly turn over data to the Government.
If followed by the court, it would mean that Facebook's European branch in Ireland "would be barred from processing its data in the US, but would have to process its data in a place where those data are not subject to NSA mass-surveillance," Herwig Hofmann, a lawyer representing Schrems, told reporters at the EU court yesterday. All US companies would have to follow the same rules, he said.
Facebook "operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment," said Facebook spokeswoman Sally Aldous.
"We have repeatedly said that we do not provide 'backdoor' access to Facebook servers and data to intelligence agencies or governments," she said.
There are more than 4,000 US companies that would be affected by the EU court's decision, which should follow in the next four to six months.
DigitalEurope, a trade group that represents companies such as Apple, Google, and Microsoft, said it is "concerned about the potential disruption to international data flows if the court follows today's opinion," according to a statement by John Higgins, its director general.
"If the safe harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to US companies that are subject to mass surveillance laws," said Schrems in a statement. "This may have major commercial downsides for the US tech industry."