A deal easing the transfer of data between the United States and the EU is invalid, an adviser to the European Union's top court has warned, dealing a blow to a system used by Facebook, Google and thousands of other companies.
The S\safe harbour agreement did not do enough to protect EU citizen's private information when it reached the US and should have been suspended, Yves Bot, advocate general at the European Court of Justice (ECJ), said.
While Bot's opinions are not legally binding, they tend to be followed by the court's judges, who are considering a complaint about the system following revelations of widespread US government surveillance by the NSA.
In the legal opinion, Bot also said national data protection authorities could suspend data transfers to third countries if they felt EU citizens' privacy was compromised.
That would cause a headache for US companies operating in the EU as well as open up the risk of a patchwork of national approaches, lawyers said.
Many companies, particularly tech companies, had hailed the 2000 safe harbour deal, saying it helps them get round cumbersome checks to transfer between the US and Europe.
"We are concerned about the potential disruption to international data flows if the court follows today's opinion," said John Higgins, director general of Digital Europe, whose members include Apple, Cisco, Ericsson and Google.
Lawyers said a negative ruling from the court would have an impact on all data transfers between the EU and the United States, not just those conducted through safe harbour.
"If you question overall the validity of US law then what about these other legal mechanisms?" said Wim Nauwelaerts, partner at law firm Hunton & Williams.
That could lead to calls from privacy advocates for more information being housed in European data centres, something the industry has long resisted on the grounds that it constitutes protectionism.
Some European companies, however, such as Germany's Deutsche Telekom, have said they would route all email traffic through domestic servers to avoid US snooping.
Facebook claims it's not an NSA backdoor
The case stems from a complaint filed by 27-year-old Austrian law student Max Schrems against Facebook, who claimed the company helped the US National Security Agency (NSA) harvest email and other private data.
Facebook rejects the claim that it provided the NSA with backdoor access to its servers and would wait for the full judgment, a spokeswoman said.
The Irish Data Protection Commissioner had rejected the complaint, saying such transfers were allowed under the safe harbour framework.
But the case was referred to the European Court of Justice (ECJ) after Schrems appealed.
"It is apparent from the findings of the High Court of Ireland and of the (European) Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection," Bot said.
The US government and the Commission have been in talks for two years to strengthen the safe harbour framework amid calls for its suspension.
Herwig Hofmann, a lawyer for Max Schrems, said he was "delighted" about the advocate general's opinion.
"If the United States doesn't change its laws in order to guarantee a minimum of data protection to European citizens, US companies will have to process their data in the EU," he told reporters at the court in Luxembourg.