Snowden revelations threaten U.S.-EU data transfer deal

A data-sharing agreement between the European Union and the United States should be invalidated after the revelation of mass surveillance programs uncovered thanks to the efforts of Edward Snowden in 2013, according to Advocate General for EU Court of Justice Yves Bot.
The agreement to which Bot refers is the Safe Harbor decision from 2000. It allows US companies to self-certify that they comply with EU rules governing the transfer of data related to European citizens to other countries, like the US.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Bot stated in an opinion published this morning. This means Safe Harbor is “no longer adequate” and “the decision adopted in 2000 was no longer adapted to the reality of the situation.”
The opinion was published in response to a complaint brought against Facebook by privacy advocate Max Schrems, who says the personal data of European citizens has been made available to U.S. intelligence agencies via the social network.
Schrems has welcomed Bot’s recommendation, saying in response that “This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies, including EU subsidiaries of US companies,.” He also argues that invalidating Safe Harbor is a leveling of the playing field:

Self-certification under safe harbor gives US companies an extremely unfair advantage over all other players on the European market that have to stick to much stricter EU law. Removing ‘safe harbor’ would mainly mean that US companies have to play by rules that are equal to those their competitors already play by and that they cannot aid US mass surveillance.

It’s important to note that Bot’s opinion is non-binding, though the court is said to often side with the advocate general. Facebook wouldn’t be the only company affected by the invalidation of Safe Harbor, either; it would affect all companies that transfer data about European citizens to servers located in the US. The BBC reports that a decision like this could affect an estimated 4,000 companies.
In response to a request for comment, a Facebook spokesperson said the company “operates in compliance with EU Data Protection law.  Like the thousands of other companies who operate data transfers across the [A]tlantic we await the full judgement.” And, in response to complaints that data is transfers is given to US intelligence agencies through surveillance programs:

We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments.  As Mark said in June 2013, we had never heard of PRISM before it was reported by the press and we have never participated in any such scheme.

The court’s judges are expected to make their own ruling later this year.

Facebook ordered to respond to “class action” European privacy suit

The 25,000-people-strong “class action” privacy suit against Facebook, launched in Austria at the start of this month, is going ahead. Although the case was recently shifted from one court to another, Max Schrems’s “Europe v Facebook” campaign group said on Thursday that the wheels are now properly in motion. The Vienna Regional Court has reviewed the case and ordered Facebook Ireland, the company’s international headquarters, to respond to the claimants’ accusations of widespread breaches of data protection law. The social network has four weeks to respond, though it may also apply for a four-week extension.

Facebook privacy “class action” shifted from one Austrian court to another

Vienna’s commercial court has decided it’s not the right place to adjudicate a massive and unprecedented class action suit over Facebook(s fb)’s alleged breaking of European privacy law. As Network World reported on Friday, the court said the suit should be heard in a nearby court that deals with civil cases. Max Schrems, the man orchestrating the suit, told me this was because the case straddled the line between contract and data protection issues, and the court had merely decided the latter was more relevant than the former. “It’s a wholly administrative thing,” he said. 25,000 people have joined the suit, and another 20,000 have signed up to follow if Schrems decides it’s practical to expand the list.

Facebook PRISM case heads to Europe’s highest court

An Irish judge has asked the Court of Justice of the European Union to say whether it was OK for the country’s data protection watchdog to refuse to investigate the alleged breakdown — as evidenced by the Snowden revelations — of the U.S.-EU “Safe Harbor” principles.

Students force Facebook to cough up more user data

Facebook is giving users the chance to download more of the information that it holds about them than ever before, but the small group of Austrian law students who forced the change say the social network is still holding back.