The European Union’s highest court will decide early next week whether a critical data protection agreement with the U.S. is valid.
A top adviser to the EU’s high court last week issued a non-binding opinion that recommended overturning the 2000 Safe Harbor agreement, which companies use to legally funnel private data between the U.S. and the EU.
The data-transfer agreement has been a source of contention since former government contractor Edward Snowden revealed the existence of a number of secret U.S. surveillance programs.
Since then, EU officials have warned the U.S. that if it doesn’t improve its data security laws or more strictly enforce Safe Harbor, they will axe the deal.
Under the agreement, U.S. companies can “self-certify” that their data protection practices are meet the more stringent EU standards. But it took the EU pressure for U.S. regulators to start taking regular action against noncompliant compliant.
Despite the uptick in enforcement, Yves Bot, an advocate general for the ECJ, said in her non-binding opinion that the surveillance programs revealed by Snowden render the Safe Harbor protections invalid.
“Because the surveillance carried out by the U.S. is mass, indiscriminate surveillance … in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection,” Bot wrote.
The U.S. fired back on Monday.
“We believe that it is essential to comment in this instance because the Advocate General's opinion rests on numerous inaccurate assertions about intelligence practices of the United States,” the U.S. mission to the E.U. said in a statement.
If the high court affirms the advocate general’s decision — which it often does — over 4,000 U.S. companies relying on Safe Harbor to transfer data abroad will be left looking for alternatives. Tech giants like Google, Facebook and Twitter all use Safe Harbor to handle European personal data in the U.S.
If the court overturns Safe Harbor, it may give these businesses some time to set up legal alternatives for transferring data across U.S.-EU borders.