The advocate-general of the EU Court of Justice has recommended that member states of the EU be allowed to suspend the transfer of personal data to the US by companies operating in the EU if they find that individual privacy may be threatened.
The EU’s existing Data Protection Directive allows data on EU citizens to be transferred outside the EU only if the recipient country has been granted ‘safe harbour’ status. The status is granted after a vetting by the European Commission of the foreign country’s legal protections for personal data and privacy. While the US has long enjoyed safe harbour status, an Austrian citizen, Maximillian Scherms, questioned whether this is still valid following the revelations by Edwards Snowden of mass surveillance of personal data by US security services.
In particular, Scherms questioned the transfer of his data by Facebook from its servers based in Ireland to its operations in the US. The Irish data protection regulator rejected his initial complaint, citing the safe harbour status granted to the US in a Commission decision in 2000. Following Scherms appeal, the Irish High Court sought the opinion of the EU Court of Justice on the matter. The EU Court’s advocate-general has now issued his opinion in the case, saying national regulators may ignore the Commission’s decision under their obligation to uphold the EU’s Charter of Fundamental Rights, which includes the right to a private life and personal data protection.