The 15-year-old Safe Harbor Agreement, which allows U.S.-based tech companies to transfer customer data from Europe, has been deemed invalid by the top legal counsel at the European Court of Justice (ECJ).

The recommendation by Advocate General Yves Bot, published Wednesday morning, revealed concerns with the level of surveillance carried out by intelligence agencies in the U.S. and the agreement effectively undermined European citizen's right to privacy. The Safe Harbor agreement was implemented in 2000 and allowed U.S. companies to easily transfer data from servers in Europe to its own servers in the U.S. without needing the explicit permission of users or each individual country, as it was deemed that protections in place were adequate.

Bot does not say explicitly that he believes protections put in place by U.S. companies like Apple Inc., Facebook Inc. and Google Inc. are inadequate, but his recommendation, which is rarely overlooked by the court, does make it clear that the advocate general has concerns in this area. “It is apparent from the findings of the High Court of Ireland and of the [European] Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection," the recommendation stated. 

The advocate general considers the access enjoyed by NSA and other intelligence agencies to the data of European citizens constitutes an interference with the right to people’s privacy.

“Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens to an effective remedy,” Bot said.

NSA Surveillance

The ruling was brought about after Max Schrems, a Facebook user in Austria since 2008, lodged a complaint with the Irish Data Commissioner (Facebook’s European operation is based in Ireland) in light of the revelations made by NSA whistleblower Edward Snowden in 2013, claiming, “The law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country.”

The Irish Data Commissioner rejected the complaint based on the Safe Harbor Agreement signed in 2000. Schrems brought his case to the High Court in Ireland which referred it to the ECJ. The recommendations by the advocate general will now be considered by the ECJ, which is expected to hand down a final ruling within a few months.

In response to the Bot's recommendations, Schrems said: “After an initial review of the advocate general’s opinion of more than 40 pages it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle.”

Schrems also thanked the work of Snowden and the journalists who helped publish his leaked documents. “I would like to use this opportunity to express my deep respect for the work of Edward Snowden, Glenn Greenwald and Laura Poitras who have made these mass surveillance systems public. Without their work and the donations of more than 2000 people, this issue would not be before the EU’s top court today.”

Major Blow

If the ECJ confirms the findings, it will be a huge blow for companies like Google, Apple and Facebook, who all have millions of customers and users in Europe, and having to create separate European-only databases would significantly impact their businesses. “This recommendation by the ECJ is potentially a major blow to US tech companies," Mike Weston, CEO of data science consultancy Profusion told International Business Times. "If the Safe Harbor agreement becomes invalid businesses like Google and Facebook will need to significantly restructure how they manage and use data. The cost implications could be huge, with many of them having to extensively expand their data centre capacity throughout Europe."

In response to the opinion being published, Facebook told IBT: "Facebook operates in compliance with EU Data Protection law.  Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgement." Google and Apple have yet to comment on the findings.

As well as hurting U.S. companies, a ruling following Bot's recommendation could be bad for the economies of European countries also. 

“Disruption to international data flows could hurt the UK’s digital economy," Antony Walker, deputy CEO of techUK told IBT. "The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe. Thousands of companies, employing tens of thousands of people in the UK alone, rely upon Safe Harbor every day. President Juncker’s ambition to achieve a true Digital Single Market for growth and jobs will be underpinned or undermined by the EU’s approach to data.”