Advocate General of the Court of Justice of the European Union (“CJEU”) publishes his opinion (the “Opinion”) questioning the validity of Safe Harbor
The Opinion in summary
On 23 September 2015 Advocate General (“AG”) Bot issued, what is likely to be, a very disruptive opinion on the Case C-362/14 Maximillian Schrems v Data Protection Commissioner (the “Case”).
The AG makes two firm suggestions to the European Court of Justice that, if followed in the final decision, will have significant implications on the future of Safe Harbor and potentially the adequacy decisions in respect of other third countries and transfer mechanisms generally:
- The data protection authorities (“DPAs”) in the EU are not (and should not be) fettered by the European Commission (the “Commission”) decision on the adequacy of US Safe Harbor (or the data protection laws of other third countries) to provide protection when personal data is transferred outside of the EU. Therefore, DPAs can and should be free to investigate the adequacy rulings of third countries (including the adequacy of Safe Harbor) in response to complaints, and have the power to suspend transfers to that jurisdiction if adequacy no longer exists.
- With the potential for greater shock waves across the privacy sphere, the AG also considers that the adequacy decision of the Commission (2000/520/EC of 26 July 2000 – the “SH Decision”) which established Safe Harbor, to be invalid. This is on the basis that the SH Decision is outdated in the wake of the revelations that US authorities (such as the NSA) have access to personal data of EU citizens.
The Case stemmed from a complaint made by Maximillian Schrems (an Austrian citizen) to the Irish Data Protection Commissioner (the “Irish DPA”).
Like all Facebook users resident in Europe, Mr Schrems’ user profile and personal data is collected by the firm’s Irish subsidiary, from which it is then transferred to the serves hosted by Facebook Inc. in the US – this transfer is conducted on the basis of Facebook Inc.’s Safe Harbor certification. Following the NSA revelations revealed by Edward Snowden (the “PRISM Scandal”), Mr Schrems complained to the Irish DPA that the US and the Safe Harbor regime did not offer ‘adequate’ protection for the personal data of EU citizens if the US authorities could use that data for nonspecific surveillance and monitoring operations.
The Irish DPA rejected this claim on the basis that the SH Decision had already deemed Safe Harbor adequate and therefore companies, like Facebook (which transfer personal data on the basis of Safe Harbor) provide adequate protection of that data.
Not to be perturbed, Mr Schrems sought judicial review by the High Court of Ireland, which in turn sought direction from the CJEU. The High Court of Ireland asked whether the Irish DPA was bound by the SH Decision and if, therefore, the SH Decision prohibited the Irish DPA from (a) investigating complaints that transfers of personal data to the US, pursuant to Safe Harbor, are not adequately protected; and (b) suspending transfers of such data pursuant to Safe Harbor.
The ruling of the CJEU has not yet been provided and it should be noted that the AG’s Opinion is not binding. The CJEU could take a different view but historically opinions of the assigned AG are influential to the outcome.
The Opinion in detail
Independence of Data Protection Authorities
As noted above, it is the AG’s opinion that DPA’s in each Member State should and do have complete independence and authority to investigate complaints raised regarding any decision of the Commission in relation to the adequacy of a third country (i.e. not just the SH Decision in relation to the adequacy of Safe Harbor but all decisions relating to the adequacy of data protection laws in countries outside the EU).
Further, dependent on the outcome of such investigations, the DPAs have the authority to suspend transfers of personal data to the relevant jurisdictions regardless of any previous decision of adequacy by the Commission.
The AG backs up his Opinion by reference to Article 28 of the EU Privacy Directive 95/46/EC (the “Directive”), which states that:
“…[DPAs] shall act with complete independence in exercising the functions entrusted to them… [and] shall hear claims lodged by any person… concerning the protection of his rights and freedoms in regard to the processing of personal data”.
He also bases his decision in part on Articles 7 and 8 of the Charter of Fundamental Rights (the “Charter”), in that EU citizens have the right to respect for private and family life and a right to the protection of their personal data, and Member States are entitled to take necessary steps to ensure such rights are enforced.
By referring to the Charter and not just the wording of the Directive, which is soon to be replaced by the General Data Protection Regulation (the “GDPR”), the AG does not limit his opinion to the life of the Directive. Therefore, it will be interesting to see whether his comments (and any ultimate decision of the CJEU) will have an impact on the provisions of the GDPR, which are still being negotiated.
Returning to the question originally posed by the High Court of Ireland (i.e. is the Irish DPA - and by implication, any other DPA - bound by decisions of the Commission and thereby prohibited from investigating complaints and suspending transfers of data?) the AG’s opinion is clearly that:
- No, DPAs are not bound by decisions of the Commission (including the SH Decision) as the ‘adequacy’ of third countries is something to be assessed and determined both at Commission level and local level; and
- DPAs are, accordingly, entitled to act independently of these decisions to investigate complaints (without summarily dismissing them) and take action where it determines adequacy is lacking.
The EU Commission’s Safe Harbor adequacy decision
The Opinion considers the validity of the SH Decision in some detail and, in framing his view, the AG notes that ‘adequacy’ should be interpreted as equivalency to the level of protection in force in the EU, and not mean merely “satisfactory or sufficient”.
He also considers that an adequacy decision cannot be one which is frozen at the time in which it is made but by implication must continue to represent the adequacy/equivalency of the protection provided at any time that such decision is relied upon. Therefore, the Commission should be constantly assessing its 15 year old SH Decision to determine whether it remains accurate.
On this premise, the AG refers to the PRISM Scandal and the fact that US authorities are lawfully permitted to conduct large-scale monitoring and collection of EU citizen’s personal data that has been transferred to the US. Noting that such monitoring and collection is largely conducted without effective judicial oversight and while US citizens may have rights in relation to the use by authorities of their data, there is no ability for EU citizens to complain or take action against the interception and use by US authorities of their personal data. The AG considers this to constitute disproportionate interference with the rights afforded to EU citizens by the Charter.
The AG also notes that; “in order to attain a level of protection essentially equivalent to that in force in the European Union, the Safe Harbor scheme… should be accompanied by adequate guarantees and a sufficient control mechanism”.
In light of the above points, the AG’s opinion is that:
- the SH Decision is no longer valid as the Safe Harbor regime no longer offers protections that are ‘equivalent’ to those in force within the EU; and
- the Commission erred in not suspending transfers of personal data to the US pursuant to Safe Harbor, before entering into negotiations with the US to address the above issues. In fact, by entering into these negotiation, the AG believes this clearly suggests that the Commission has already determined the Safe Harbor regime is inadequate.
What are the consequences – is Safe Harbor still valid?
For now, yes, Safe Harbor is still valid. However, it seems very likely that the CJEU will make a ruling which at least in part reflects the points raised by the Opinion, meaning Safe Harbor (as we know it) could be ruled invalid within the coming months.
However, negotiations are still ongoing with the US and this Opinion could accelerate the speed at which such negotiations progress, and even force the US to accept some of the failings and take steps to ensure the system does not completely collapse (e.g. by putting in place an effective supervisory body).
What is perhaps of greater impact (in the long term), is the concept of DPAs having powers to independently determine whether or not to accept a decision of the Commission. The whole purpose of the incoming GDPR is to harmonise the data protection laws of the EU. However it will be difficult to achieve such harmony if each state can take its own view on matters – such a scenario could create much more disparity and confusion than exists currently. For example, the AG’s Europe could presumably have some Member States regarding one list of countries as providing adequate protections, while other Member States may take a different view.
What should you do?
For the thousands of businesses that rely on Safe Harbor to transfer their data, the question is going to be what should they do?
Businesses should remember that this is an opinion on the interpretation of applicable EU law by the AG – the CJEU is not bound by it, but it is likely to be a strong influence on the final decision of CJEU due later this year.
Further, impacts on trade & commerce, costs and the resources of the Member State DPAs to handle investigations – and other real world impacts - aren’t something that gets considered here in a process that is focused on interpretation of existing laws to protect fundamental rights confirmed by the Charter. These points will be considered later, hopefully before a final binding decision on the future of Safe Harbor is made.
In the meantime, the SH Decision and therefore Safe Harbor does still stand as valid… but it is hanging on by a thread.
It is to be hoped that the Opinion will inject further rigor and more speed into US-EU renegotiations on Safe Harbor. It is also to be hoped that none of the DPAs (or the Commission for that matter) jump the gun and move to suspend Safe Harbor now rather than await the final CJEU ruling.
However, for now, other mechanisms for addressing transfers to the US do exist and businesses relying on Safe Harbor might want to give careful consideration to their ‘Plan B’ - if not implementing any actual changes just yet.