U.S.-E.U. data-sharing agreement in trouble after NSA surveillance disclosures

A senior adviser for Europe‘s highest court has accused the United States of perpetrating “mass, indiscriminate” surveillance, imperiling a major data-sharing agreement between the U.S. and the European Union.

“Once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation (FBI) are able to access it in the course of a mass and indiscriminate surveillance and interception of such data,” Yves Bot, an advocate general for the European Court of Justice, wrote in an advisory opinion released Wednesday.

“Such mass, indiscriminate surveillance is inherently disproportionate,” he added, “and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the [E.U.] Charter.”

Bot’s opinion does not constitute a final judgment in the case at hand, Maximillian Schrems v Data Protection Commissioner, but the advocate general’s advice typically carries significant weight with ECJ justices.

At stake in the court’s ruling is the fate of the U.S.-E.U. Safe Harbor data-sharing agreement. If the ECJ’s decision follows Bot’s reasoning, E.U. countries could stop U.S. companies from collecting data on their citizens under the agreement.

The case arose when an Austrian man sued Facebook for complying with the National Security Agency’s surveillance operations targeted at E.U. citizens. The data-privacy regulator that monitors companies’ adherence to E.U. laws rejected the man’s argument, pointing to the 2000 Safe Harbor agreement as legal justification for Facebook’s use of E.U. citizens’ data.

But the Austrian man appealed that finding on the grounds that “gaping holes in contemporary U.S. data protection practice” rendered the Safe Harbor agreement ineffective.

“Since it is excluded for the E.U. legislature or the Member States to adopt legislation, contrary to the Charter, providing for mass and indiscriminate surveillance,” Bot wrote in his opinion, “it must follow…that third countries [like the U.S.] cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of citizens of the Union where their rules of law do in fact permit the mass and indiscriminate surveillance and interception of such data.”

American tech companies, already facing global pressure following the surveillance disclosures of former NSA contractor Edward Snowden, are bracing for a ruling that could make it much harder for them to do business in a major international market.

“We are concerned about the potential disruption to international data flows if the Court follows today’s opinion,” John Higgins, Director General of the tech industry group DIGITALEUROPE, told Reuters.

The U.S. government has been working on reforms to Safe Harbor with the Irish Data Protection Commissioner, which has jurisdiction over American tech companies because they set up their E.U. operations in tax-friendly Ireland. In the meantime, an ECJ ruling based on Bot’s opinion could deal significant damage to U.S. companies’ European advertising and marketing operations.

“The law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbor scheme,” Bot wrote, “without those citizens benefiting from effective judicial protection.”

H/T Reuters | Photo via Cédric Puisney/Flickr (CC BY 2.0)

Eric Geller

Eric Geller

Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.