The Advocate General, whose opinion is highly influential at the Court of Justice of the European Union (CJEU), called the 2000 EU-U.S. Safe Harbor agreement invalid, as it allows U.S. agencies to indiscriminately collect and intercept people's data as it gets transferred to the U.S. Such actions violate articles 7 and 8 of the EU Charter of Fundamental Rights, he said. The final ruling should be given by the 15 CJEU judges by the end of the year.
The "Europe versus Facebook" case, which reached the CJEU this year, was started by Maximillian Schrems from Austria, who claimed that Facebook was violating Europeans' right to privacy.
One way in which Facebook allegedly does that is by giving U.S. agencies access to the data through the PRISM program, which was uncovered by NSA whistleblower Edward Snowden in 2013. However, Facebook has denied any knowledge of a PRISM program, nor of giving "backdoor access" to its servers to the NSA.
Yves Bot, the Advocate General, generally agreed with Schrem and called into question that the EU Safe Harbor offers enough oversight to protect European citizens' data, as required by the Charter of Fundamental Rights.
"The access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security," he noted."Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by articles seven and eight of the charter [of fundamental rights of the EU]," he added.
Although Schrem's case was against Facebook, if the Court of Justice of the EU agrees with Yves Bot's opinion, the ruling could impact all American companies that currently transfer EU citizens' data to U.S. servers for various reasons, from law enforcement requests to more efficient data mining for advertising purposes.
Such a ruling could also mean that the biggest damage caused by the NSA's global mass surveillance, and its pressure on U.S. tech companies to hand over the data of foreigners, has yet to happen. Soon after the Snowden revelations, companies such as Cisco and China saw significant drops in sales abroad, for instance, and the NSA's mass surveillance is likely to continue to hurt U.S. companies in the long term in both direct and more subtle ways.
A CJEU ruling that would say the Safe Harbor agreement is invalid could also incur significant costs for tech companies, which would now have to keep all the data of EU citizens inside the EU and allow only EU authorities to have access to it.
The opinion from the Advocate General seems to arrive at the right time, because the EU Commission (executive body) already announced a few weeks ago that it has reached a new agreement with the U.S. in regards to data protection of EU citizens. However, the details of that agreement are not out yet, and some are worried about what the new agreement might contain.
Any agreement would now likely have to be postponed anyway, until the CJEU rules in the Europe vs. Facebook case later this year. Then, new agreements regarding the privacy and data protection of EU citizens would have to be based on that ruling and in accordance to the EU charter of rights.