Facebook case may force European firms to change data storage practices

European companies may have to review their widespread practice of storing digital data with US internet companies after a court accused America’s intelligence services of conducting “mass, indiscriminate surveillance”.

The influential opinion by the European court of justice’s advocate general, Yves Bot, yet to be confirmed by the Luxembourg court as final, is a significant development in the battle over online privacy. The court normally follows the advocate general’s opinion; ECJ judgments are binding on EU countries.

The finding is a fresh victory for the Austrian campaigner Maximilian Schrems, who initially brought a claim against Facebook in Ireland in the wake of Edward Snowden’s revelations about the activities of the US National Security Agency (NSA).

The opinion by Bot contains far-reaching recommendations that threaten to upend many current commercial practices and assumptions in the digital industry.

If any EU country considers that transferring data to servers abroad undermines the protection of citizens, the advocate general’s finding said, it has the power to suspend that transfer “irrespective of the general assessment made by the [EU] commission in its decision”.

“The access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security,” Bot’s opinion noted in one of its most damning sections.

“Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by articles seven and eight of the charter [of fundamental rights of the EU].”

The Luxembourg court found the Safe Harbor agreement between the US and Europe, which gives spies access to huge banks of data, does not stop watchdogs from investigating complaints or bar them from suspending the transfers.

The arrangement allows the NSA to use the Prism surveillance system – revealed by the Guardian from documents leaked by Snowden – to wade through billions of elements of personal data, communication and information held by nine internet companies.

The opinion states that the commission’s past decision on Safe Harbor within the US is invalid. It said internet users in Europe have no effective judicial protection while the large-scale data transfers are happening.

Schrems said the ruling could have major implications for EU-US data flows and American internet companies operating in Europe.

“After an initial review of the advocate general’s opinion of more than 40 pages it seems like years of work could pay off. Now we just have to hope that the judges of the court of justice will follow the advocate general’s opinion in principle,” he said.

Schrems said that while his case was specific to Facebook it may also apply to other technology giants such as Apple, Google, Yahoo and Microsoft. The final ruling by the ECJ’s 15 judges is expected later this year.

Everyone on the social network in the EU signs a contract with Facebook Ireland, audited by the data protection commissioner in that country. Under the US-EU data transfer all their details can be accessed by the NSA.

Schrems’s challenge to seek an investigation into which of his data was sent to the US will come back to the high court in Dublin after the ECJ issues its final ruling.

Snowden, a former NSA contractor, triggered a wave of controversy when he leaked tens of thousands of documents about surveillance programmes run by the US intelligence services and foreign counterparts, including Britain’s GCHQ, in 2013.

Responding to the decision, a Facebook spokesperson said: “Facebook operates in compliance with EU data protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment.”

In reference to Prism, Facebook added:“We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments. ... We had never heard of Prism before it was reported by the press and we have never participated in any such scheme.”

More than 4,000 companies are estimated to rely on the Safe Harbor agreement for transferring data to the US. Commenting on the ruling, Jan Philipp Albrecht, home affairs spokesperson for the Green party in the EU, said: “The advocate general has today made clear that the transfer of EU citizens’ private data to the US by Facebook is at odds with EU law. This welcome finding must provoke an immediate response by the relevant authorities in Europe. The Irish data protection commissioner must immediately move to prevent any further data transfers to the US by Facebook, which operates under Irish jurisdiction.

“The finding also confirms the position of the European parliament, which has already called for Safe Harbor to be suspended. It is unacceptable that the European commission has ignored this demand for a year and a half. It is now time for the commission to finally suspend Safe Harbor.

“We need robust, common data protection rules for the EU, which can also be applied to internet operators and the online sector from the US. To this end, we need to swiftly agree the reform of the EU’s data protection laws to ensure strong and implementable individual rights.”

Laywers in the UK suggested that, if confirmed, the ECJ decision would force every European company that stores data on American servers to review their contracts.

Stewart Room, the head of PwC Legal’s data privacy and protection practice, said: “[This] signifies a real game-changing view on the power of the European commission to override the views of the data privacy regulators of the member states. The advocate general takes the view that the commission cannot bind the national regulators. In other words, the views of the member states’ regulators trump the central view of Brussels.

“This presents a real threat to the Safe Harbor data transfer regime to the US. For businesses, a huge amount of uncertainty is now inserted into the legal framework. It has the potential to cause chaos in transatlantic data flows. If the court of justice sides with the advocate general, then multinationals will have to fully rethink their global strategies for data privacy compliance.”

Agustin Reyna, senior legal officer at the European Consumer Organisation, said: “The advocate general’s opinion puts the nail in the coffin of Safe Harbor. This agreement fails to protect European’s personal data. We hope the European court of justice will follow this line and stop the mass circumvention of EU data protection rules. The European commission, which is currently renegotiating Safe Harbor, received today a clear message that the transfer of European citizens’ data cannot be based on self-assessment by US companies.”