29/09/2015: The US government has blasted the EU Advocate General's claims that sending European citizens' data to America is illegal.
Under the Safe Harbor agreement, the US promises to give adequate safeguards to any personal data belonging to people living in the European Union that is transferred to America.
However, the European Court of Justice's Advocate General, Yves Bot, said the US is failing to honour the Safe Harbour agreement, referring to Edward Snowden's revelations about the US spying on foreign people's personal information through its PRISM programme.
Giving an opinion on a class action lawsuit against Facebook that claims EU data was not protected because it was stored in the US, Bot said: "It is clear from Edward Snowden's disclosures that the United States authorities can have access on a mass and undifferentiated basis to personal data of the population living in the territory of the European Union.
"Once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation (FBI) are able to access it in the course of a mass and indiscriminate surveillance and interception of such data."
Now the US has responded, claiming Bot's "opinion rests on numerous inaccurate assertions".
A statement from the United States Mission to the European Union read: "The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.
"The PRISM program that the Advocate General's opinion discusses is in fact targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."
It added: "Moreover, the Advocate General's opinion fails to take into account that - particularly in the last two years - President Obama has taken unprecedented steps to enhance transparency and public accountability regarding US intelligence practices, and to strengthen policies to ensure that all persons are treated with dignity and respect, regardless of their nationality or place of residence."
Despite the rebuttal, PRISM allows US spy agencies to trawl through billions of pieces of data belonging to around nine internet companies, and the US is currently trying to gain access to European data stored in Irish servers belonging to Microsoft.
And the Advocate General's opinion could have far-reaching consequences for data storage services if confirmed as final by the Luxembourg court.
Those without an EU datacentre - such as Box and Dropbox - could suffer, because any EU country that fears its citizens' data is put at risk by such a vendor could suspend the data from being transferred.
The Safe Harbour framework is currently being renegotiated by both the EU and US, with the US mission stating: "On both sides, there has been a strong desire to make sure that we improve the Framework, and these efforts should be encouraged."
An updated agreement could be unveiled by the end of the year.
23/09/2015: Tech companies could be forced to hold European data in Europe, after a European Court of Justice opinion suggested "safe harbour" rules may be invalid.
The opinion from Advocate General Yves Bot follows a complaint by Austrian Law student Max Schrems, who said that his personal data stored by Facebook in th US couldn't have been adequately protected given Edward Snowden's NSA revelations.
While the Irish Court didn't agree with Schrems, saying his data was agreed to be adequately protected under "safe harbour" rules, Bot did agree with the student.
Bot's opinion said that EU member states must be able to take measures to safeguard "fundamental rights" protected by EU charters, including the right to privacy and protection of personal data.
That could mean the so-called "safe harbour" law, under which tech firms are allowed to store EU data in the US, could be violating European regulations as the data isn't given "adequate protection".
More than 4,400 companies are safe-harbour certified, including Facebook, Microsoft and Apple. If Bot's opinion is upheld, such companies will have to find a new legal grounding to allow EU data to be held in the US.
The opinion is largely down to mass surveillance in the US. The document notes that "the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection."
He said the situation is particularly damaging because the "the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance."
What's next
The Advocate General's opinion isn't binding on the EU Court of Justice, but it normally agrees with his statements. The final ruling is due within a few months.
"After an initial review of the advocate general's opinion of more than 40 pages it seems like years of work could pay off," Schrems said in a statement. "Now we just have to hope that the judges of the Court of Justice will follow the advocate general's opinion in principle."
"It is great to see that the advocate general has used this case to deliver a broad statement on data transfers to third countries and mass surveillance," he added.
The legal opinion from Bot could effect ongoing negotiations between the EU and US on a new safe harbour system.
"This finding has also [had] an important impact on the negotiations between the EU and the US regarding a new safe harbor' system, as it must be now assured that the mass access of national security agencies to EU data transferred to the US needs to be definitely excluded," Schrems noted.
It also means the Irish data protection agency must not rely on "safe harbour" with complaints against US tech firms, but must investigate them fully.
