The advisor to Europe's top court has recommended it rule invalid a scheme for data sharing between the US and the EU's 28 member states.
The advocate general of the European Court of Justice (ECJ), Yves Bot, handed down his opinion on Wednesday concerning a case brought by Austrian PhD law student Max Schrems that could complicate the ability for firms to send European data to US data centres.
"According to Advocate General Bot, the Commission decision finding that the protection of personal data in the United States is adequate does not prevent national authorities from suspending the transfer of the data of European Facebook subscribers to servers located in the United States," the Court of Justice of the European Union (CJEU) said in a statement.
Bot also said: "Where systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data."
Should the ECJ's judges agree, it could spell troubles for the controversial EU-US Safe Harbour agreement under which companies like Apple, Facebook, and Google are able to self-certify that their systems comply with the EU's data protection directive, so making it legal for them to transfer European user data to the US.
Schrems filed a complaint against Facebook with Ireland's Data Protection Commissioner in June 2013, following Edward Snowden's disclosures earlier that year of the NSA's surveillance program Prism.
The DPC rejected Schrems' complaint, stating it had no duty to investigate, citing a European Commission ruling in 2000 that data protection in the US was adequate due to the Safe Harbour scheme.
Schrems appealed to Ireland's High Court, which referred the case to the ECJ to determine whether the Commission decision prevents the DPC from investigating Schrems' allegations that US data protection is inadequate and whether the authority can suspend the transfer of data to the US. The High Court will be tasked with making the final decision, however it is bound by the ECJ ruling once it's handed down.
Schrems today commended Bot for considering the Safe Habour scheme invalid.
"It is great to see that the advocate general has used this case to deliver a broad statement on data transfers to third countries and mass surveillance," Schrems said in a statement.
"If the Safe Harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to US companies that are subject to mass surveillance laws. This is may have major commercial downsides for the US tech industry," he added.
"After an initial review of the advocate general's opinion of more than 40 pages, it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general's opinion in principle," he added.
As Schrems notes, 4,410 US companies are certified under the Safe Harbour scheme, which includes every major IT company from Apple and Amazon to Yahoo and Twitter.