A European legal opinion regarding Facebook’s alleged data-sharing co-operation with the NSA/PRISM dragnet surveillance program that’s due to be issued by the Advocate General (AG) of Europe’s top court is now slated to be delivered on September 23.
The AG had originally been scheduled to deliver the opinion in June. The delay has not been explained by the European Court of Justice (ECJ).
The issue involves the the so-called ‘Safe Harbor’ agreement, which governs data flows from Europe to the U.S. but which remains problematic in the wake of the Snowden revelations’ disclosure of the extent of U.S. intelligence agency surveillance program activity.
Back in 2013 the Europe vs Facebook (EvF) privacy organization, led by data protection activist and lawyer Max Schrems, filed complaints against several U.S. tech giants — including Facebook — for their alleged collaboration with PRISM.
The EvF said it was seeking clarity on European-U.S. data-sharing law to determine whether “mass transfer” of personal data to a foreign intelligence agency is legal under European law.
The Irish data protection authority, the country where Facebook’s European headquarters are based, quickly dismissed the EvF complaint — citing Safe Harbor as the justification for any data-sharing under PRISM. Schrems challenged that decision at the Irish High Court which referred the case to the ECJ in June last year. So the complaint has moved from Ireland to Luxembourg — where the ECJ’s AG is now due to opine on whether the Irish DPA was right to dismiss the complaint or not later this month.
The AG’s opinion is non-binding but does inform the thinking of the 15 judges of the ECJ as they work to determine the court’s final ruling — expected later this year.
EvF notes that in the majority of cases the ECJ follows the AG’s opinion.
In addition, in an ECJ hearing back in March, the European Commission conceded the Safe Harbor agreement does not provide “adequate protection”, and has repeatedly said an update for the system will be forthcoming — although this has yet to materialize.
EvF also suggests the ECJ and AG were “rather critical” of Safe Harbor and the role of the Irish Data Protection Commissioner, during the hearing on March 23.
Speculating on possible outcomes of the AG opinion, EvF says it could range from narrowing the interpretation of Safe Harbor, invalidating the Safe Harbor decision or “an even broader ruling on international data transfers taking into consideration the European Union’s fundamental right to data protection in Article 8 of the Charter of Fundamental Rights of the European Union”.
Legal researcher Brendan Van Alsenoy, who has been following the case, said the AG’s line of questioning in the earlier hearing suggests “the Safe Harbor decision cannot be insulated from a full and proper review”.
“If I were to speculate, I would think the AG inclined to answer the question referred in favor of the plaintiff and argue that national DPAs are not ‘absolutely bound’ by a Commission finding of adequacy,” he tells TechCrunch.
“The real question is whether or not the AG will recommend invalidation of Safe Harbor, or whether he will merely recommend setting aside the provisions which could be seen to violate Directive 95/46/EC,” he adds.
Any such ruling invalidating Safe Harbor by the ECJ could of course have significant implications for a number of U.S. technology companies, not just Facebook, if they have users in Europe and are processing user data outside Europe.
Nor would it be the first time an ECJ ruling has forced U.S. tech companies to change their ways. Back in May 2014 an ECJ ruling that was quickly dubbed the ‘right to be forgotten‘ put Google on the back foot, because it requires search engines process delisting requests from private individuals.
Arguably that ECJ ruling has sparked wider pro-privacy debate over the pond, with some Americans now calling loudly for a similar right to be offered to web users in the U.S.
The EvF PRISM-related legal action is being financed by crowdfunding donations — the organization has raised more than €65,000 in pledges to date.
Schrems has also been trying to bring a class action law suit against Facebook for failing to protect user privacy, including from the PRISM program. That action is being funded by a law firm on a no-win no fee basis.