Citizens within the European Union (EU) have been advised to close their Facebook accounts if they wish to keep their private information away from the prying eyes of the US security services.
In a hearing that could have significant bearing on the future of the EU-US Safe Harbor agreement, European Commission attorney Bernhard Schima as good as admitted that the current agreement was not fit for purpose, telling attorney-general Yves Bot:
You might consider closing your Facebook account, if you have one.
Schima’s remark came during a case brought by Austrian law student Max Schrems following complaints filed against Facebook and four other US companies – Apple, Microsoft, Skype, and Yahoo – with the relevant data protection authorities in Ireland, Luxembourg and Germany.
After Irish Data Protection Commissioner Billy Hawkes refused to investigate Schrems’ claims surrounding the mass transfer of Facebook users’ data to the US’s National Security Agency (NSA), citing Safe Harbor rules, the case was elevated firstly to the Irish High Court and now to the European Court of Justice (ECJ).
Schrems, and his crowd-funded ‘Europe v Facebook‘ group, began campaigning after Edward Snowden revealed how the Prism data-gathering program gave US intelligence services access to data held by nine US firms, including the five named above.
That, the case argues, breaches the EU’s Data Protection Directive, which outlaws the transfer of citizens’ personal data to countries outside of the EU unless they meet an “adequacy” standard for privacy protection.
On that point Schrems, who was live tweeting the proceedings from Luxembourg, seized on the fact that the European Commission said:
The Commission cannot confirm an adequate protection right now.
The International Association of Privacy Professionals reports, however, that the Commission maintained that Safe Harbor remains a necessity, arguing that:
Safe Harbor is a politically and economically necessary framework that is still under negotiation and is best left in the hands of the commission to work toward a better protection of EU citizen rights.
The negotiations over Safe Harbor – which allows US tech firms such as Facebook and Google to deliver targeted adverts to EU citizens – have been underway since November 2013 with no end to the discussions in sight.
In the meantime, the ECJ was asked to consider whether individual national data protection authorities (DPAs) have the authority to block data transfers where deemed necessary. The Commission’s stance is that it is simply not possible because the DPAs “are in principle not empowered” to suspend data transfers to the United States.
Schrems, however, found backing not only from advocacy group Digital Rights Ireland, which argued that the existing Safe Harbor agreement couldn’t protect citizens’ data, but also from national representatives from countries including Austria and Poland. Representatives from Ireland said they would welcome further guidance on the matter.
If the outcome of the case is the nullification of the Safe Harbor agreement, US companies would still be able to apply to transfer data out of the EU but, Schrems explains via Europe-v-Facebook, doing so may prove more challenging than at present:
A number of companies (e.g. Twitter in its recent Annual Report) expect that it may become harder for US companies to retrieve data from the European Union and it may be necessary to invest in secure European data centers.
The Advocate General of the ECJ will give his opinion on the Safe Harbor framework on 24 June 2015.
Image of Facebook courtesy of Gil C / Shutterstock.