DUBLIN (Reuters) - Ireland’s High Court on Wednesday asked the European Court of Justice (ECJ) to review a European Union-U.S. data protection agreement in light of allegations that Facebook FB.O shared data from EU users with the U.S. National Security Agency.
It asked the European Court to clarify whether a Safe Harbour deal, which allows the transfer of data from EU consumers to the United States, was compatible with the EU Charter of Fundamental Rights.
The judge was ruling on a request by Austrian student group europe-v-facebook for an investigation into allegations that companies including Apple AAPL.O and Facebook help the U.S. National Security Agency (NSA) harvest email and other private data from European citizens.
The group appealed to the High Court after the Irish data watchdog - the effective supervisor of the EU activities of some of the biggest U.S. Internet companies which have their European headquarters in Ireland - had said in July there were no grounds for such an investigation.
High Court Justice Gerard Hogan said that given the Safe Harbour agreement, which says that U.S. has sufficient data safeguards in place, the Irish regulator did not have the authority to investigate.
If Safe Harbour stands, the student group’s application must fail, he said. “The critical issue which arises is whether the proper interpretation of the 1995 [EU data protection] directive and the 2000 Commission decision [on the Safe Harbour principles] should be re-evaluated in the light of the subsequent entry into force of article 8 of the EU charter,” on the right to the protection of personal data, Hogan said.
The Safe Harbour agreement allows U.S. companies like Facebook, Google GOOGL.O, and Microsoft MSFT.O to gather customer information in Europe and send it to the United States, beyond the EU’s legal jurisdiction, as long as certain criteria are met.
The strength of the agreement was called into question by the revelation by U.S. intelligence contractor Edward Snowden last year that the NSA used major Web companies, including Apple AAPL.O, Google, Facebook and Microsoft, to gather user data as part of a mass electronic surveillance programme known as Prism.
“The whole Prism, NSA spying thing is thereby in front of the highest court in Europe, which is going to be very interesting,” Max Schrems, founder of europe-v-facebook, the Austrian lobby group which brought the case, said.
“Any ruling will apply to any other U.S. companies that have participated in PRISM,” he said, adding that he thought there was a “very good chance” of having Safe Harbour overturned.
EU countries are negotiating a new data protection law which would oblige companies like Google or Facebook to seek consent before using personal information, and would impose stiff fines if they break the rules.
“If Safe Harbour were to come falling down, that would create an immediate issue for the thousands of multinationals who have self-certified with that system,” Rob Corbet, head of technology and innovation at Arthur Cox law firm in Dublin, said.
“However, nobody wants that uncertainty so I think the more likely outcome is that the U.S. and Europe will get their act together and reach a political outcome on data transfers prior to any final ECJ ruling.”
A referral from a Spanish court led the European Court last month to rule that internet companies can be made to remove irrelevant or excessive personal information from search engine results in a case that pitted privacy campaigners against Google.
Writing by Conor Humphries; Additional reporting by Padraic Halpin; Editing by Elaine Hardcastle and Jane Merriman