The Opinion of the Advocate General (AG) of the Court of Justice of the European Union (CJEU) on the case assessing the status and validity of Safe Harbor has created significant uncertainty relating to its immediate future. While the CJEU has not yet ruled, the AG’s decisions are typically quite influential. The AG’s view is that the Safe Harbor program does not provide an adequate level of data protection and that it should have already been invalidated by the European Commission.
Safe Harbor was the end result of several years of negotiations during the late ’90s between the European Commission and the U.S. Department of Commerce to create a self-regulatory framework that would allow U.S.-based organisations to overcome the restrictions on transfers of personal data from the EU.
Following the Snowden revelations about the mass surveillance operations, Austrian law student Max Schrems lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the USA. Schrems claimed that Facebook Ireland – the data controller for Facebook’s European users’ data – could no longer rely on Safe Harbor to legitimise the transfers of his data to the USA because of the wide access that US authorities had to such data as revealed by Snowden.
The Irish Commissioner rejected Schrems’ complaint on the basis that the adequacy of Safe Harbor had already been determined by the European Commission and therefore, it was not open to the Irish Commissioner to challenge the European Commission’s ‘adequacy finding’. This was not accepted by Schrems who sought judicial review of the Commissioner’s decision by the High Court of Ireland. Therefore, the case concerns a narrow legal question referred by the High Court of Ireland to the CJEU about whether its local data protection commissioner is bound by the European Commission’s view that Safe Harbor provides an adequate level of protection for European data. In his long-awaited Opinion, the AG is categorical in saying that the powers of the national data protection authorities are above the Commission’s decisions and that such authorities must be able to intervene without restrictions.
However, the AG goes beyond this specific question and takes the view that Safe Harbor does not in fact provide an adequate level of data protection and that it should have already been invalidated by the European Commission. The reason for this stance is simply the fact that the access enjoyed by the U.S. intelligence services to data transferred from Europe is too wide and disproportionate, and that Safe Harbor does not contain appropriate guarantees to prevent this level of access. The AG points out that the European Commission itself knew this to be the case, which explains the current negotiations to put an end to these shortcomings.
Whilst this is the AG’s Opinion and not the CJEU’s final decision, the fact that the AG is openly supporting the view that Safe Harbor should be suspended creates uncertainty about its ongoing validity. So the question that many of us are asking ourselves is: Can we continue to rely on Safe Harbor as a valid mechanism to legitimise transfers of personal data from the EU to the U.S.? The short answer is that at this stage the adequacy of Safe Harbor still stands but data protection authorities will feel more empowered than ever to suspend transfers made on this basis.
Long term, there are three challenges to be overcome for Safe Harbor to continue to be a valid mechanism for transfers:
- The Commission and the U.S. Government need to agree on Safe Harbor #2 before the CJEU gives its final decision. If not, the CJEU’s previous stance on these issues suggests that it could be prepared to follow the AG’s Opinion.
- Safe Harbor #2 needs to be significantly different in the way it deals with national security and law enforcement exemptions, in order to satisfy the proportionality expectations in this regard under EU law. This has been a key aspect of the Safe Harbor negotiations and remains critical in order to persuade the CJEU that Safe Harbor #2 will deliver the right level of protection.
- Safe Harbor #2 needs to be robust enough from the point of view of the national data protection authorities. Given that the CJEU will likely agree with the AG on the ability of the data protection authorities to challenge Safe Harbor (or any adequacy finding for that matter), it is imperative for Safe Harbor #2 meets the expectations of those authorities.
All in all, Safe Harbor is not dead and still has a crucial role to play in delivering a strong level of protection for European data, but it is only prudent to consider other alternatives that may be deployed to ensure that transatlantic data flows continue to be lawful.