A deal easing the transfer of data between the United States and the EU is invalid, an adviser to the European Union’s top court said on Wednesday, dealing a blow to a system used by Facebook, Google and thousands of other companies.
The Safe Harbor agreement did not do enough to protect EU citizen’s private information when it reached the United States and should have been suspended, Yves Bot, advocate general at the European Court of Justice (ECJ), said.
While Bot’s opinions are not binding, they tend to be followed by the court’s judges, who are considering a complaint about the system in the wake of revelations from ex-National Security Agency contractor Edward Snowden of mass U.S. government surveillance.
In a trenchant legal opinion which will do little to heal frayed transatlantic relations following the spying leaks, Bot also said national data protection authorities could suspend data transfers to third countries if they felt EU citizens’ privacy was compromised.
That would cause a headache for U.S. companies operating in the EU as well as open up the risk of a patchwork of national approaches, lawyers said.
Many companies, particularly tech companies, have hailed the 2000 Safe Harbor deal, saying it helps them get around cumbersome checks to transfer vital data, including payroll and human resources information as well as online advertising worth billions of dollars, between offices on both sides of the Atlantic.
“We are concerned about the potential disruption to international data flows if the court follows today’s opinion,” said John Higgins, director general of DigitalEurope, whose members include Apple, Cisco, Ericsson and Google.
Lawyers said a negative ruling from the court would have an impact on all data transfers between the EU and the United States, not just those conducted through Safe Harbor.
“If you question overall the validity of U.S. law, then what about these other legal mechanisms?” said Wim Nauwelaerts, partner at law firm Hunton & Williams.
That could lead to calls from privacy advocates for more data centers in Europe, something the industry has long resisted on the grounds that it constitutes protectionism.
Some European companies, however, such as Germany’s Deutsche Telekom, have said they would route all email traffic through domestic servers to avoid U.S. snooping.
The case stems from a complaint filed by 27-year-old Austrian law student Max Schrems against Facebook, alleging the company was helping the U.S. National Security Agency (NSA) harvest email and other private data by forwarding European customer’s data to servers in the United States.
Facebook rejects the claim that it provided the NSA with “backdoor” access to its servers and said it would wait for the full judgment, a spokeswoman said on Wednesday.
The Irish Data Protection Commissioner, who watches over major tech companies’ compliance with privacy laws since they are headquartered in Ireland, rejected the complaint, saying such transfers were allowed under the Safe Harbor framework.
But the case was referred to the European Court of Justice after Schrems appealed.
“It is apparent from the findings of the High Court of Ireland and of the (European) Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection,” Bot said.
The United States and the commission have been in talks for two years to strengthen the Safe Harbor framework amid calls for its suspension.
Herwig Hofmann, a lawyer for Max Schrems, said he was “delighted” about the advocate general’s opinion.
“If the United States doesn’t change its laws in order to guarantee a minimum of data protection to European citizens, U.S. companies will have to process their data in the EU,” he told reporters at the court in Luxembourg.
(Additional reporting by Pia Oppel in Luxembourg; Editing by Andrew Heavens and David Evans)
This article originally appeared on Recode.net.