Austrian campaigner Max Schrems. Photo: PAUS spy chiefs can be blocked from accessing online data of European citizens, a senior European lawyer has said.
The Advocate General to the European Court of Justice issued his opinion after Austrian campaigner Max Schrems challenged Facebook over the transfer of his personal information to American intelligence agencies.
Yves Bot said the Safe Harbor agreement between the US and Europe, which gives spies access to huge banks of data, does not stop watchdogs from investigating complaints or bar them from suspending the transfers.
The arrangement allows the National Security Agency (NSA) to use the Prism surveillance system exposed by whistleblower Edward Snowden to wade through billions of bits of personal data, communication and information held by nine internet giants.
Mr Schrems said the opinion could have major implications for EU-US data flows and US internet companies operating in Europe.
“After an initial review of the advocate general’s opinion of more than 40 pages it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle,” he said.
In his opinion, which the ECJ said is not binding, Mr Bot found that data transfers are an important and necessary element of the transatlantic relationship between the US and Europe. But he warned that the European rules which govern it are invalid.
In one of the most damning findings, Mr Bot said the access US spies have to European data interferes with the right to respect for private life and protection of personal data.
He said internet users in Europe have no effective judicial protection while the large scale data transfers are happening. Mr Bot branded the US spying as “mass, indiscriminate surveillance”.
Such mass, indiscriminate surveillance is inherently disproportionate
Mr Schrems said that while his case was specific to Facebook it may also apply to other tech giants like Apple, Google, Yahoo and Microsoft.
In the 44-page opinion Mr Bot found: “The access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.
“Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter (of Fundamental Rights of the European Union).”
The final ruling by the ECJ’s 15 judges is expected later this year and while Mr Bot’s opinion is not binding the court’s final decision normally follows his assessment.
Mr Schrems, a Facebook user since 2008, first took his opposition to the Safe Harbor arrangement to the Data Protection Commissioner (DPC) in Ireland - famously based in the unlikely setting of offices above a corner shop in the town of Portarlington.
Everyone on the social network in the EU signs a contract with Facebook Ireland, audited by the DPC, and under the US-EU data transfer all their details can be accessed by the NSA.
Mr Schrems’s challenge to seek an investigation into what data of his was sent to US spies will come back to the High Court in Dublin after the ECJ issues its final ruling.
His action was sparked by the Snowden revelations.
The former NSA contractor triggered a wave of controversy when he leaked tens of thousands of documents about surveillance programmes run by the US intelligence services and foreign counterparts, including Britain’s GCHQ, in 2013.
He fled to Hong Kong where he met journalists to co-ordinate a series of articles that exposed mass surveillance programmes such as the NSA’s Prism and GCHQ’s Tempora, which involve “hoovering up” vast volumes of private communications. Once Snowden’s identity was revealed, he fled to Russia, and he remains wanted by the US authorities.
DigitalEurope, which lobbies for tech firms in Brussels, said the ECJ opinion raises fears that consumers in Europe would lose out on new services if it requires data transfers to the US or elsewhere.
John Higgins, director general, said: “We are concerned about the potential disruption to international data flows if the court follows today’s opinion.
“In addition to the disruption a court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU.”
In Brussels, the European Commission said 13 revisions to Safe Harbor have been adopted in a bid to restore trust.