The Advocate General has delivered his Opinion in the Schrems case on the US-EU Safe Harbor framework, finding that: (i) national data protection authorities have the power to investigate – and suspend – transatlantic personal data flows; and (ii) the EU Commission’s Safe Harbor decision is invalid because Europeans’ personal data isn’t adequately protected from mass US surveillance. The Opinion isn’t binding but – if the EU Court follows it – organisations may need to find an alternative legal basis for sending data from Europe to the US.
What’s the case about?
Max Schrems, an Austrian law student and privacy activist, sought judicial review against the Irish Data Protection Commissioner’s decision over the US-EU Safe Harbor framework. The Irish High Court referred the case to the Court of Justice of the European Union (CJEU), and AG Bot has now delivered his Opinion.
What is Safe Harbor?
European data protection rules restrict transfer of personal data from the EEA to countries without ‘adequate’ data protection laws. The EU Commission decided in 2000 that personal data sent to US organisations that sign up to the Safe Harbor scheme is adequately protected. Safe Harbor organisations self-certify compliance with certain privacy principles, and the scheme is enforced by the US FTC. Safe Harbor is one of several (alternative) legal grounds for EU-US personal data transfers.
Mr Schrems, a Facebook user, challenged the Data Protection Commissioner’s refusal to investigate his complaint about Facebook Ireland sending personal data to Facebook Inc, its Safe Harbor-certified parent with servers in the US. Mr Schrems argued that the Safe Harbor framework provides no real protection for personal data in light of the scale of US state surveillance activities revealed by Edward Snowden. The Data Protection Commissioner declined to investigate, arguing that it was bound by the EU Commission decision establishing Safe Harbor. The Irish High Court asked the CJEU whether the Data Protection Commissioner was bound by the Safe Harbor decision, or whether it should conduct its own investigation.
The AG decided that the Safe Harbor decision:
- didn’t prevent national data protection authorities from investigating whether personal data is adequately protected in the US and, where appropriate, suspending data transfers – the decision didn’t reduce the authorities’ investigative powers or independence under the Data Protection Directive; and
- was invalid in light of subsequent revelations about the scale of state surveillance activities in the US. Although the Safe Harbor principles can be limited by national security considerations in certain cases, mass, indiscriminate surveillance was an unjustified and disproportionate interference with rights guaranteed by the Charter of Fundamental Rights of the European Union.
What does it mean for Safe Harbor?
This isn’t necessarily the end of Safe Harbor. The AG’s Opinion is non-binding and the CJEU might not follow it (although it often does).
Negotiations between the EU and US governments on a revised Safe Harbor framework were already under way, and the Opinion will add to the political pressure to agree a revised scheme. Over 4,000 US organisations are Safe Harbor-certified; the scheme is widely used, not just by the world’s largest technology companies but also by thousands of SMEs. The US FTC has attributed over $100bn of economic activity to Safe Harbor-related data flows, and the Commission and the FTC have previously stated their commitment to retaining the framework.
The Opinion means that any new Safe Harbor agreement must address the current lack of protection for EU citizens’ personal data from mass US surveillance, a failing that the AG forcefully criticised. The EU Commission has also identified better transparency and oversight as other reform priorities. The AG didn’t criticise how US organisations handle personal data; sharing data with intelligence agencies doesn’t breach the current Safe Harbor principles, as there are broad national security carve-outs.
What does my organisation need to do?
The Safe Harbor decision remains in force until the CJEU decides the case. In the meantime, you should consider whether your organisation currently uses Safe Harbor as a legal basis for EU-US data transfers. Even if your organisation or its US affiliates aren’t Safe Harbor-certified, it’s possible that personal data controlled by your organisation is transferred to the US under arrangements with your suppliers. In particular, many enterprise cloud computing services rely on Safe Harbor for lawful data transfers to servers in the US (eg email, hosting, payroll, ERP and CRM systems, as well as cloud-based storage and compute services).