A European court has taken an initial step toward invalidating the U.S.-EU Safe Harbor Framework, one of the primary means for transferring personal data of Europeans to the U.S. It adds more pressure on EU authorities and the U.S. government to update privacy protections under the Safe Harbor program. The European Commission began a review of Safe Harbor in the wake of Edward Snowden’s leaks about NSA surveillance and has been trying to finalize reforms.
On Sept. 23, an Advocate General of the Court of Justice of the European Union issued an opinion recommending that the Court invalidate the U.S.-EU Safe Harbor Framework. Advocate General Yves Bot concluded that the Safe Harbor program fails to adequately protect against large-scale collection of Europeans’ personal data by the U.S. government.
The case relates to Facebook’s use of Safe Harbor to move personal data of European users from Ireland to servers in the U.S. After Snowden revealed that the NSA had gained access to data from Facebook, privacy campaigner Max Schrems asked Ireland’s data protection commissioner to stop Facebook’s Irish subsidiary from transferring data to the U.S. The Irish commissioner said that it could not take action as it was bound by the European Commission’s decision approving the Safe Harbor Framework. An Irish court ultimately sent the issue to the EU Court of Justice.
The U.S.-EU Safe Harbor was adopted 16 years ago to provide a simple mechanism for personal data to be transferred from European organizations to business partners, vendors and other entities in the United States. Under EU data protection law, personal data cannot be transferred to countries that do not offer adequate legal protections for privacy, except in limited circumstances.
Because the U.S. lacks comprehensive information privacy legislation, the Safe Harbor Framework was established by the U.S. government and the European Commission in order to allow U.S. companies to receive EU personal data if they self-certify that they will comply with privacy safeguards based on EU principles. In its decision approving the Safe Harbor program in 2000, the European Commission found that the program could ensure an adequate level of protection for personal data from the EU.
The Advocate General has now challenged the legal basis of that decision, finding that “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data.“
His opinion also highlights concerns that EU citizens are unable to challenge U.S. surveillance in U.S. courts: “the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts . . . to an interference with the right of EU citizens to an effective remedy.”
The Advocate General’s opinion is a recommendation rather than a final judicial decision. The Court of Justice considers the opinion in making its final ruling but is not obligated to accept the Advocate General’s position. However, in many cases, the Court follows the recommendation.
If the Court ultimately rules against the U.S.-EU Safe Harbor, the European Commission will need to move quickly to approve a revised version of Safe Harbor as part of a new ‘adequacy’ decision.
Changes to the Safe Harbor Framework have been underway for some time. In 2013 the European Commission announced a 13-point plan for strengthening Safe Harbor. Many of the points have already been addressed. The U.S. Federal Trade Commission has stepped up efforts to check on whether companies are current on their annual self-certifications. In early September, the European Commission and the U.S. Department of Justice finished a framework agreement on data protection for EU-U.S. law enforcement cooperation (the so-called EU-US data protection “umbrella agreement”).
An important outstanding item – referenced in the Advocate General’s opinion and also related to approval of the umbrella agreement – is the right of EU citizens to bring claims in U.S. courts against the U.S. government for privacy violations. This requires a change in U.S. law under the Privacy Act of 1974. Congress is considering the Judicial Redress Act to give Europeans these rights.
The Court’s decision in the Schrems case is expected by the end of 2015. Officials appear to have a limited window of time to ensure that the Safe Harbor Framework is preserved.