The “Safe Harbour” framework—which is supposed to ensure data transfers from the EU to the US are legal under European data privacy laws—does not satisfy the EU’s Data Protection Directive as a result of the “mass, indiscriminate surveillance” carried out by the NSA. That’s the opinion of the Court of Justice of the European Union (CJEU) Advocate General Yves Bot, whose views are generally followed by the CJEU when it hands down its final rulings.
The case was sent to the CJEU by the High Court of Ireland, after the Irish data protection authority rejected a complaint from Maximillian Schrems, an Austrian citizen. He had argued that in the light of Snowden’s revelations about the NSA, the data he provided to Facebook that was transferred from the company’s Irish subsidiary to the US under the Safe Harbour scheme was not, in fact, adequately protected. The Advocate General Bot agreed with Schrems that the EU-US Safe Harbour system did not meet the requirements of the Data Protection Directive, because of NSA access to EU personal data.
According to the CJEU statement (PDF link), “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the [Charter of Fundamental Rights of the EU].” Another issue, according to the Advocate General, was “the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States,” which therefore amounts to “an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.”