Thousands of U.S. and European companies who rely on the EU–US Safe Harbor Framework to permit the transfer of personal data from the EU to the U.S., have come a step closer to seeing the transfer mechanism struck down.
Today, Europe’s Advocate General Yves Bot (a top advisor to the European Court of Justice) released his long awaited opinion on the EU–US Safe Harbor Framework, in which he says that the European Commission decision, which permits European organisations to send personal data to the U.S. under the framework, is invalid.
Under EU privacy law, the transfer of personal data to a country outside the European Economic Area can in general only take place if the destination country ensures an “adequate” level of data protection. The European Commission’s decision of 2000 in respect of the Safe Harbor Framework allows certain organisations in the U.S. (particularly those in the tech sector) to self-certify their compliance with European privacy principles that the Commission considered demonstrated an adequate level of protection for personal data, including elements such as notice, choice, onward transfer, data security, data integrity and dispute resolution processes.
In recent years, however, Safe Harbor has been heavily criticised by both data protection regulators and privacy advocates for not providing sufficient protection for personal data. The Commission itself has also entered negotiations with the US to strengthen the protections afforded by the framework.
The Advocat General’s opinion follows the case launched by Austrian citizen Maximillian Schrems against the Irish Data Protection Commissioner and centres on the Edward Snowden revelations concerning the surveillance activities of the U.S. intelligence services.
Schrems lodged a complaint with the Irish data protection regulator taking the view that (in relation to certain transfers of personal data from Ireland to the U.S.) in light of the Snowden revelations, the law and practices of the U.S. government offered no real protection for personal data. After the Irish regulator rejected the complaint (on the grounds that under the Commission’s Safe Harbor decision the U.S. offer an adequate level of protection), Schrems took his claim to the Irish courts. The case was then referred by Ireland to the European Court of Justice. The Advocate General’s opinion will be considered by the Court of Justice when making its final decisions.
In his opinion, the Advocate General expresses two main views:
- The existence of the Commission’s decision on a Safe Harbor pact with the U.S. does not prevent national data protection regulators in Europe from intervening in and reviewing data transfers. If a member state data protection regulator, for example, considers that a transfer of data undermines the protection of citizens of the EU as regards the processing of their data, it has the power to suspend that transfer, irrespective of the Commission’s assessment regarding the legitimacy of the Safe Harbor program. (In March, we published an alert on two German Supervisory Authorities that threatened to suspend data transfers based on the US Safe Harbor Program.)
- The Commission decision that finds the Safe Harbor to be an adequate mechanism for data transfer is invalid. His views being influenced by the lack of protection afforded to EU citizens in the face of large-scale collection, access and allegedly indiscriminate surveillance of personal data by the U.S. intelligence services.
The Advocate General’s opinion is not binding on the Court of Justice but is often seen as highly persuasive. We await a date for the court’s final decision which could leave: (i) many organisations needing to rapidly implement new data transfer solutions; and (ii) a patch work approach to Safe Harbor across the EU where, depending on the views of the relevant member state data protection regulator, some member states continue to recognise the framework and others do not.
Of immediate note for U.S. and European companies is to update their mappings of cross-border data flows between these regions, and to begin considering the costs/benefits of alternative methods that may provide more predictable and stable ways to transfer data. In performing this assessment, there are three important issues to remember:
- The international data transfers that are subject to EU restrictions include not only the actual “sending” of personal information (for example, via emails), but also the remote accessing or viewing of personal data from the U.S. e.g. via cloud services that maintain servers in the EEA.
- The personal data that is subject to the EU data transfer restriction certainly includes consumer and customer data, but also personal data relating to employees, vendors, business partners and other third parties.
- The Safe Harbor framework addresses transfers only from the EU into the U.S., and does not cover traffic from the EU to other countries, or data from non-EU countries with transfer restrictions into the EU.