Pursuant to European Commission Decision 2000/520, United States–based companies may freely process the personal data of European Union citizens, provided that those companies adhere to the principles and frequently asked questions contained in Decision 2000/520, referred to as the “safe harbor” scheme. Decision 2000/520 is made within the framework allowed for in Directive 95/46/EC, which, among other things, allows for the transfer of EU citizens’ personal data to foreign countries that afford adequate levels of privacy protections.
The principles and frequently asked questions developed by the U.S. Department of Commerce in conjunction and consultation with the European Union are designed to provide a presumption of adequate privacy protection measures to eligible U.S. businesses. The ultimate goal of Decision 2000/520 is to provide relative ease of compliance and predictability to eligible U.S. companies and to foster U.S.-EU trade. While Decision 2000/520 has been at times challenged and derided within the European Union, it has served as the “rules of the road” for U.S. companies handling the personal data of EU citizens for the better part of two decades. The order established by Decision 2000/520 is now facing its toughest challenge yet before the Court of Justice of the European Union in the case of Schrems v. Data Protection Commissioner (C-362/14).
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. Facebook, a U.S. company with an EU subsidiary based in Ireland, transfers the personal data of its EU members to servers located in the United States. In the wake of the Edward Snowden scandal Schrems, purportedly concerned about the security of data stored in the United States and the perceived risk of surveillance by the National Security Agency, lodged a complaint with the Irish Data Protection Commissioner (Irish Commissioner). The Irish Commissioner rejected Schrems’s complaint, and decided that, pursuant to Decision 2000/520, the European Union has determined that the United States ensures an adequate level of personal data privacy protection, such that eligible and compliant U.S. companies may freely process the personal data of EU citizens.
Schrems, in appealing the Irish Commissioner’s decision to the High Court of Ireland, asserts that Decision 2000/520 and the safe harbor scheme should not preclude national privacy authorities in EU member states from investigating complaints of inadequate privacy protections and suspending data transfers where appropriate.
The Advisory Opinion
On September 23, 2015, Advocate General Yves Bot of the Court of Justice of the European Union issued an advisory opinion to the High Court of Ireland siding with Schrems. Advocate General Bot argues that Decision 2000/520 cannot supplant the powers of the national supervisory authorities of EU member states. Advocate General Bot takes the position that where a data transfer undermines the protections guaranteed to EU citizens, it has the power to suspend such transfers. In all, Advocate General Bot argues that Decision 2000/520 represents a general assessment of U.S. privacy laws, but should not prevent national authorities from safeguarding the fundamental rights of EU citizens, including the right to the protection of personal data.
Advocate General Bot’s decision is not limited to the facts of the Schrems case and instead could have an enormous impact on U.S. companies doing business in the EU. If adopted by the High Court of Ireland, the Bot decision would eliminate the safe harbor from EU privacy law afforded to U.S. companies under Decision 2000/520. Eliminating the Decision 2000/520 safe harbor could leave U.S. companies in a state of uncertainty and require them to take a long hard look at the EU’s onerous compliance requirements.