A high-level advisor to the European Court of Justice, Advocate General Yves Bot, yesterday recommended that Europe’s highest court invalidate the 15-year-old “Safe Harbor” agreement (the “Agreement”) between the U.S. and the 28 member states of the European Union (EU). Observers of the EU Court of Justice note that the Court rarely disagrees with the recommendations of the Advocate General, so it is likely that the Agreement will be declared invalid sometime before the end of the year. An end to the Agreement may have significant repercussions for companies that transfer data between the U.S. and EU countries, up to and including the complete revision of the protocols for compliance reviews, audits, and internal investigations.
The Agreement was put in place two years after the European Commission’s Directive on Data Protection (the “Directive”) went into effect. The Directive prohibited the transfer of personal data to non-European Union countries that do not meet the EU’s “adequacy” standard for privacy protection. The standards for data protection and privacy in the United States differ significantly from those in the EU. The so-called “Safe Harbor” Agreement was put in place to enable U.S. companies to comply with the Directive and continue to do business in the EU and transfer data across the Atlantic. Companies wishing to gain Safe Harbor status did so primarily through a process of self-certification. More than 4,000 American companies operate under the Agreement and are expected to treat data transferred during the course of their business operations with the same privacy protections as if the data had remained within the EU.
While questions about the adequacy of the Agreement in protecting the personal data of EU citizens have been around nearly since inception, the case that has brought the issue before the EU’s highest court was partly set in motion by the revelations of Edward J. Snowden - the former National Security Agency (NSA) contractor who infamously revealed details of the U.S. government’s “Prism” program, which supposedly gave the agency access to data collected by several giant U.S. tech companies, including Google and Facebook. Bot’s recommendation argues that the NSA’s access to information on European users of Facebook and other companies broke the Directive and violated the EU’s privacy rules. Bot further argues that data sharing under the Agreement does not give Europeans sufficient recourse if their data is misused by companies or national governments.
Should the EU Court of Justice follow Bot’s recommendation and invalidate the Agreement, the business operations of companies doing business in the EU could be severely disrupted. The lobbying group Digital Europe, which does include Google and Microsoft in its membership, expressed concern that the adoption of Bot’s recommendation could “disrupt the EU's plans for the digital single market, a set of harmonized e-commerce, copyright and privacy laws, and call into question model contract clauses on data sharing the world over.”
Given the likelihood of a decision invalidating the Safe Harbor Agreement, it is not too soon for companies that currently operate under its provisions to begin to consider their options should the Court issue a decision in line with the recommendations of Advocate General Bot. Companies must closely evaluate their need for the complete revision of the protocols for compliance reviews, audits, and internal investigations since current protocols are set up to address the requirements of the Safe Harbor framework for data protection and privacy. Others may need to consider the relocation of servers from U.S. soil to the EU in order to comply with what may turn out to be a multitude of data protection laws that vary from country to country should the High Court invalidate the Safe Harbor Agreement.