In an earlier post, my colleagues reported on the Safe Harbor case currently being dealt with at the European Court of Justice.
For the time being the Safe Harbor certification basically justified a data transfer from Germany to the United States. Nevertheless since 2013 the Safe Harbor Agreement became subject to decreasing criticism in the German marketplace, in particular by German federal and federal state data protection commissioners. already in July 2013 they more or less suspended the application of the Safe Harbor Agreement.
Albeit the absence of an explicit suspension of the decision of the EU Commission, according to which such a Safe Harbor Certification is sufficient as a proof for a reasonable data protection level the German data protection authorities, deemed themselves as not being strictly bound anymore to the aforesaid decision of the EU Commission. From 2014 onwards some federal data protection commissioners started precedent administrative proceedings against at least two international operations relying on the Safe Harbor Agreement in order to impose a formal interdiction of future inner group transfer of personal data to and processing of personal data in the U.S.
Although this practise of the federal data protection commissioners could have been criticised as the national data protection commissioners are bound to the decision of the European Commission, the practise might be supported by the European Court of Justice in the near future by its ruling in the case C-362/14 – Schrems vs. Data Protection Commissioner. As announced by a press release of the European Court of Justice in this case on 23. September 2015, the Advocat General is of the opinion that the existence of a European Commission Decision does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred, and, where appropriate, from suspending the transfer of that data. Albeit the European Court of Justice does not necessarily follow the Advocate General’s opinion at least this statement will encourage the German data protection authorities for the time being to move ahead with or even expand their proceedings on international operations relying on Safe Harbor for their data transfer into the U.S. On this background the second and indeed important statement of the Advocate General as summarized in the press release stating that the European Commission’s Decision on the adequacy of the protection provided by the Safe Harbor privacy principles is invalid, is even of no specific relevance as it meets the customary legal point of view of the German data protection commissioners anyway.
The practical consequence: No operation processing data in Germany should any longer rely on the Safe Harbor Agreement currently in force as concerns the transfer of personal data from Germany to the U.S.
The main milestones and facts re. the status of the on-going discussion in Germany:
- The fact that Safe Harbor is a “self-certification procedure”, for which the participating companies merely by an informal letter declare to the FTC that they acknowledge and observe the Safe Harbor principles, constituted one of the core elements of such criticism amongst German data protection authorities and legal experts. Especially as no control is carried out, neither through the FTC, nor through any other institution as to whether the respective companies effectively meet with the requirements of the Safe-Harbor Certification.
- As a consequence of the extensive supervision by foreign secret services, in particular by the US National Security Agency (NSA), criticism on Safe Harbor as being an instrument for guaranteeing a reasonable data protection level, further increased. On July 24, 2013, the data protection commissioners of the German federal government and federal states governments stated in a press release that they will not issue new authorizations for data transfers to third countries and that they will investigate and assess whether such data transfers on the basis of the Safe Harbor Agreement (as well as the European Union standard contractual clauses) are to be suspended) cf. press release
- Furthermore, as a result from their conference on July 24, 2013, the data protection authorities issued a plea to the European Commission according to which the European Commission should suspend its decisions on Safe Harbor in the light of the excessive supervision activities of foreign secret services for the time being. In accordance with this statement, the Data Protection Officers of the federal and federal states governments stressed during their conference on March 18/19, 2015 again that the Safe Harbor decision of the European Commission does not provide a sufficient protection for the fundamental right of data protection for the transfer of personal data to the US – cf. press release. In fact we have seen federal state data protection authorities opening formal investigations on international operations re. data transfer to the US on the basis of Safe Harbor; such proceedings are ongoing.
- Additionally, the Safe Harbor Agreement is subject to considerable criticism on the European level. In a notification to the European Parliament and the Board dated November 27, 2013, the European Commission considerably criticized the Safe Harbor Agreement (COM (2013) 847 final). As a result, in March 2014, the members of the European Parliament voted for the suspension of the Safe Harbor Program (cf. press release)
- The European Court of Justice (ECJ) will at short notice deal with the legality of the Safe Harbor Agreement (file no.: C-362/14) on the background of a lawsuit of the Austrian data protection activist, Max Schrems, vs. the Irish Data Protection Commissioner, who, however, supports the view that the Safe Harbor Agreement allows European companies to transfer personal data to the USA. In the light of this practice, the ECJ will decide on the compatibility of the Safe Harbor Agreement with the European Charter in the upcoming months.
- Against this background, negotiations are actually running between the EU Commission and the US Government regarding the amendment of the Safe Harbor Agreement. The Justice Commissioner, Ms. Jaurová, insofar proposes during the meeting of the Commissioners for Home Affairs and Justice of the EU and the USA on May 28, 2015 in Riga a new draft for a Safe Harbor Certification, in which particularly abuse prevention and effective liability provisions shall be provided. The negotiations are not yet completed successfully.