(CN) - EU member states should be allowed to block Facebook Europe's transfer of user data to U.S. servers despite a European Commission finding that U.S. personal data protection controls are "adequate" when the NSA spying scandal showed they're not, a European Court of Justice adviser said Wednesday.
Austrian national Maximillian Schrems - a Facebook user since 2008 - lodged a complaint with the Irish data-protection authority when he learned that Facebook Europe routinely transferred EU users' data to U.S.-based servers. EU law allows for personal data transfers to third nations only where the European Commission finds the third nation's controls are adequate.
But Schrems argued that revelations made by National Security Agency whistleblower Edward Snowden in 2013 showed that the United States' laws and practices in fact meant his data was not safe from unwanted surveillance - in this case, by the United States government itself.
The Irish authority rejected Schrems' complaint in light of a 2000 finding by the commission that the United States' "safe harbor" scheme - by which businesses can voluntarily provide personal data protection - offered the necessary "adequate" level of protection for legal transfers out of the EU.
Schrems took his case to the High Court of Ireland, which asked the European Court of Justice to weigh in on whether national data-protection authorities can suspend data transfers to third nations on their own despite a commission finding of adequate protection in those nations.
In an opinion for the EU high court, Advocate General Yves Bot said national data-protection authorities must retain their power to intervene regardless of the commission's findings.
"If the national supervisory authorities were absolutely bound by decisions adopted by the commission, that would inevitably limit their total independence," Bot wrote in a 24-page advisory opinion for the Luxembourg-based court. "In accordance with their role as guardians of fundamental rights, the national supervisory authorities must be able to investigate, with complete independence, the complaints submitted to them, in the higher interest of the protection of individuals with regard to the processing of personal data."
He continued, "In the light of the essential role which they play with regard to the protection of personal data, the national supervisory authorities must be able to investigate where they receive a complaint alleging matters that could call into question the level of protection ensured by a third country, including where the commission has found that the third country concerned ensures an adequate level of protection."
Bot acknowledged that national authorities do not have the power to reject commission decisions. But that lack of power does not mean the authorities should automatically deny complaints lodged by citizens without mounting an investigation and examining the complaints on their merits, he said.
"In order to ensure appropriate protection of the fundamental rights of individuals with regard to the processing of personal data, the national supervisory authorities must have the power, where there are allegations regarding infringement of those rights, to conduct investigations," Bot wrote. "If, following such investigations, those authorities consider that, in a third country covered by an adequacy decision, there are strong indications of a breach of the right of citizens of the union to the protection of their personal data, they must be able to suspend the transfer of data to the recipient established in that third country."
And those authorities must also be allowed to bring challenges of the commission's adequacy finding before a national court when their investigations uncover evidence that the third nation's data-protection policies may not be adequate after all, the adviser said.
In this case, the Irish authorities - and the High Court of Ireland - have expressed doubts that the United States offers an adequate level of data protection from the U.S. government's prying eyes, Bot said.
"The referring court itself observes that the guarantee provided by EU constitution and by the core values common to the constitutional traditions of the member states would be compromised if the public authorities were allowed access to electronic communications on a casual and generalized basis without the need for objective justification based on considerations of national security or the prevention of crime specific to the individuals concerned and attended by appropriate and verifiable safeguards," Bot wrote. "The referring court thus indirectly casts doubts on the validity of the commission's adequacy decision."
Furthermore, the adviser noted that the commission has itself questioned the safety of data in the United States after it was discovered the NSA had spied on EU citizens and member-state governments. It might therefore be time for the commission to reassess its finding as to the United States, he said.
"Personal data transferred by undertakings such as Facebook Ireland to their parent company established in the United States is then capable of being accessed by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance and interception of such data," Bot wrote. "Indeed, in the wake of Edward Snowden's revelations, the evidence now available would admit of no other realistic conclusion.
"Second, citizens of the union have no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other United States security agencies. It follows from these factors that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the union which is transferred under the safe-harbor scheme, without those citizens benefiting from effective judicial protection."
The lack of judicial protection, coupled with continued right of access by the U.S. government, constitutes an interference with the constitutional rights of respect for private life, protection of personal data and effective remedy for EU citizens, Bot said. And because U.S. intelligence agencies' surveillance is mass and indiscriminate - and exempt from the safe harbor law - data protection in the United States cannot be considered adequate, he added.
"The obligation owed by the commission is to suspend the application of a decision which it has adopted in the case of proven shortcomings on the part of the third country concerned, while it conducts negotiations with that country in order to put an end to those shortcomings," Bot concluded, noting that those negotiations are ongoing.
Bot's opinion is not binding on the EU high court, which has begun its own deliberations in the case.
Subscribe to Closing Arguments
Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.
Additional Reads
-
EU gains trillions in revenue — and debt April 22, 2024 -
Alaska, Hawaiian Airlines April 17, 2024
-
-
Contributor-Test-Post-2024-04-12 April 12, 2024