A nonbinding decision Wednesday deemed “invalid” the pact under which Europe and the U.S. share data.
BERLIN—A landmark agreement on data-sharing between the United States and Europe is “invalid,” an adviser to a top European court said Wednesday, in a decision that could lay the groundwork for limitations on the National Security Agency’s global Internet spying practices.
The NSA’s use of a trans-Atlantic “safe-harbor” agreement forged in 2000 to compel companies like Facebook to share personal data on European citizens demonstrates a lack of adequate privacy protections undergirding the pact, said Yves Bot, the advocate general for the European Court of Justice, in a nonbinding but potentially influential legal opinion.
“The law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU … without those citizens benefiting from effective judicial protection,” Bot wrote.
Bot also said that the level of access granted to the NSA on transferred data constituted an interference with the Charter of Fundamental Rights of the European Union, which promises a right to protect personal data. The advocate general also said European data-protection authorities could suspend transfers of data to other countries on grounds of protecting privacy.
The case was brought by Max Schrems, an Austrian law student, who initiated a challenge originally against Facebook on how the company can share data across borders after the 2013 Edward Snowden revelations revealed the scope of U.S. intelligence-gathering of Internet data through a program called PRISM. Schrems argued that he was offered no protection as a European citizen from having his Facebook data spied on because it was transferred from servers in Ireland to servers in the United States, as per the safe-harbor agreement.
The opinion, if accepted, has the potential not only to hamper how thousands of companies transfer data overseas but could also restrict the NSA’s ability to scoop up massive amounts of Internet data on European citizens.
“This finding, if confirmed by the court, would be a major step in limiting the legal options for U.S. authorities to conduct mass surveillance on data held by EU companies, including EU subsidiaries of U.S. companies,” Schrems said in a statement following the opinion’s release.
Wednesday’s opinion essentially carries no legal force, but the advocate general is rarely overruled. Despite the lack of immediate effect, privacy advocates quickly cheered the decision, indicating it represented yet another groundswell of opposition to NSA surveillance.
“This case reinforces the urgent need for surveillance reform globally,” said Estelle Massé, a Brussels-based policy analyst for the digital-rights group Access. “The U.S. law that authorizes the PRISM program inadequately protects the rights of users, particularly users outside the United States, and it is imperative that the U.S. honor its human-rights obligations and discontinue this type of surveillance.”
If the case yields a binding decision, it will amount to another digital-privacy win in Europe, where many view Silicon Valley dominance with skepticism. Data transfers have been a thorny topic between the two continents since the Snowden revelations, but American and European officials did finalize a long-awaited data-protection deal earlier this month that would offer more protections on how personal information is protected when shared across the Atlantic by law enforcement.
Many companies have long relied on the safe-harbor agreement to conduct business and share data across a globalized Internet. Upending the data-transfer rules could limit the trans-Atlantic flow of information and force companies to develop more data hubs in Europe.
PRISM’s existence was revealed in June 2013 as one of the first programs exposed via the Snowden archive. The surveillance program is used by the NSA to secure wide-ranging data collection from the servers of nine popular Internet companies, including Google, Microsoft, Yahoo, and Facebook. It is governed under Section 702 of the Foreign Intelligence Surveillance Act, a provision that will expire in 2017 absent congressional action.