Following up on our last post from last week, the Court of Justice of the European Union (CJEU), moving at almost breakneck speed, has announced that it will be deciding the legal status of the US-EU Safe Harbor Framework on or before October 6. Although a decision was not expected for several weeks, the ongoing negotiations between the EU and the U.S. on this issue have very likely sped up the process.
The 1995 EU Privacy Directive 94/46/EC, states that the collection of personal data of EU citizens in third countries, like the United States, may “only be done with employee consent and only where the U.S. has ensured and adequate level of data protection.” More than 4,000 American companies operate under the directive’s “Safe Harbor” provision which allows U.S. companies to receive their EU employees’ data if they do so in a manner that is consistent with the directive. To say that a change in the Privacy Directive could have enormous consequences for those 4,000+ American companies would be an understatement.
One of those U.S. companies is Facebook. Facebook faced a complaint from an Austrian user named Maxamillian Schrems. Schrems brought a complaint with the Irish Data Protection Commissioner, alleging that Facebook’s transfer of the data that he provided to Facebook through his use of it to Facebook servers in the United States violated the Privacy Directive 95/46/EC. The Irish Commissioner rejected Schrem’s complaint and the status quo seemed to be intact. All that was thrown up in the air on September 23rd when the High Court of Ireland, through Advocate General Yves Bot, issued an advisory opinion stating that national privacy and data collection laws can trump an EU Commission determination that a third country meets the Safe Harbor requirements.
Since the September 23rd advisory opinion, the US mission to Europe has (unsurprisingly) come out against the AG Bot’s stance. Adding to the intensity of the situation are the ongoing negotiations to update the Safe Harbor framework. While businesses, particularly tech companies, tend to support the framework, many EU member states have taken differing approaches to the powers of DPAs and have pushed, with some success, for greater privacy regulations (see for example, the right to be forgotten).