In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens. In light of its non-binding nature, the opinion did not effect any legal change and the ECJ is free to reject or adopt its recommendations. Nevertheless, the opinion has triggered widespread concerns about the future of the Safe Harbor, due in part to the frequency with which the ECJ follows the recommendations of its advisors.
Under EU privacy law, transfer of personal data from the EU is permitted only to countries that provide an “adequate” level of data protection. Based on a 2000 ruling by the European Commission, self-certification under the Safe Harbor demonstrates adequate protection and enables participating companies to transfer personal data between the EU and U.S. However, the adequacy of the current Safe Harbor framework has been challenged in recent years, and the U.S. and European Commission are in the process of negotiating changes to the regime to strengthen the protections afforded by the Safe Harbor.
In the opinion, the Advocate General found that the 2000 European Commission decision is no longer valid and urged the ECJ to rule likewise in the pending case Maximillian Schrems v. Data Protection Commissioner. As support for his position, the Advocate General focused on questionable U.S. government surveillance practices, as well as the lack of adequate measures for enforcement and the redress of grievances by EU citizens. The Advocate General also rejected the European Commission’s argument that the Safe Harbor decision should remain in force until the ongoing negotiations for a new Safe Harbor scheme are completed, intensifying pressure for the U.S. and EU to reach a compromise as soon as possible. In response, the ECJ has not taken any immediate action and is expected to issue its opinion by the end of this year.
At present, the Safe Harbor remains a valid legal tool and is the most cost-effective method to achieve the transfer of personal data from the EU to the U.S. Alternatives to the Safe Harbor – such as binding corporate rules, the EU model contract clauses, or obtaining opt-in consent from all data subjects – are more expensive and time-consuming for most companies to implement.