Thousands of US businesses transacting with the EU rely on the “Safe Harbor” regime as a basis for receiving and accessing personal data from the EU in a legally compliant manner. This regime is currently under challenge.
In Case C-362/14 Maximillian Schrems v Data Protection Commissioner, Advocate General Yves Bot issued a non-binding opinion on 23 September 2015 in which he recommended that a decision of the European Commission 15 years ago that forms the basis of the Safe Harbor regime (Commission Decision 2000/520/EC of 26 July 2000, which found that the principles of Safe Harbor afforded adequate protection for transfers of personal data from the EU to the US), should be declared invalid.
He also recommended that even if there is an existing Commission decision determining that a non-EU country provides an adequate level of protection for personal data transferred to that country, this should not fetter national supervisory authorities, which must be able to investigate third country adequacy independently.
WHAT IS THE SAFE HARBOR?
The Safe Harbor regime allows for transfers of personal data to be made from the EU to the US where US organisations have self-certified that they conform to the Safe Harbor Privacy Principles. The Principles are designed to ensure that an adequate level of privacy protection is offered by such organisations, which satisfies the requirements of the EU Data Protection Directive (Directive 95/46/EC).One of the main benefits of the regime then is that it provides a relatively fast and simple way of complying with the Data Protection Directive, to allow US organisations to share personal data with EU entities.
BACKGROUND AND FACTS OF THE CASE
The case was brought in the Irish High Court by Austrian national and privacy activist Maximillian Schrems in response to a decision by the Irish Data Protection Commissioner (DPC) not to investigate his claims in respect of transfers of personal data to the US by Facebook. Such transfers are reliant on Facebook’s adherence to the Safe Harbor regime.
Mr Schrems complained that, in light of Edward Snowdon’s NSA PRISM revelations, US laws and practice failed to protect against mass surveillance of data held in the US. The DPC, in refusing to investigate, had claimed that Safe Harbor provided adequate protection in respect of the transfers of such data.
The Irish High Court asked the ECJ to clarify whether it (and other national supervisory authorities) were bound by Decision 2000/520 when determining whether a third country’s laws and practices provided adequate protection for data transfers.
It also asked whether the DPC should conduct its own investigation of the matter in light of factual developments since Decision 2000/520 was made (such as the Snowden revelations). AG Bot’s recommendations were in response to these queries.
Since AG Bot’s opinion is non-binding in nature, it has not caused any changes to the law and the ECJ is free to reject or adopt his recommendations. However, the ECJ often follows the recommendations of its advisers which means that the impact of the case could be wide-ranging for the significant numbers of Safe Harbor-certified organisations.
US entities currently relying on the Safe Harbor will need to give some consideration to alternative means of legitimizing data transfers. These include:
- Consent of the individual. However, it is not recommended to rely on consent as the basis for repeated or systematic data transfers, and it can be difficult to show that consent is informed (and therefore valid).
- Contracts, incorporating standard clauses between those exporting and importing data.
- Binding corporate rules for intra-group transfers.
Following AG Bot’s opinion, a date for the judgment in Case C-362/14 has been set swiftly and it is due to be delivered on Tuesday 6 October at 9:30am. We’ll find out more then on the future of the Safe Harbor.