It all started with an Austrian law student who wanted to understand what Facebook does with his personal data. As a result of Maximillian Schrems’s complaint about Facebook’s privacy practices and the litigation that followed that inquiry, the Advocate General to the EU Court of Justice has called for invalidating the EU-U.S. framework for data exchange on the ground, among others, that it does not prevent mass access to data by American intelligence agencies. As a result, the Safe Harbor is used as a basis for data sharing between the European Union and the United States by thousands of multinational companies may be in jeopardy.
Many multinational companies based in the United States rely upon the Safe Harbor Framework approved by the EU in 2000 as part of their strategy to obtain personal data about employees and customers from countries in the EU to the U.S. Under the Safe Harbor Agreements, U.S. companies doing business in Europe may be compliant with the national laws implementing the European Union’s Directive on Data Protection if they transfer personal data to their U.S. subsidiaries, if they (1) are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation, (2) agree to abide by certain data privacy protections, (3) certify their compliance with the U.S. Department of Commerce, and (4) comply with other EU restrictions on the transfer of information in general.
Mr. Schrems complained to the Irish Data Protection Commissioner about the transfer of his data by the Irish subsidiary of Facebook to the U.S. after U.S. intelligence agencies’ data collection of social media was disclosed by Edward Snowden. The Irish authority rejected the complaint based on their view of the Safe Harbor framework. Schrems appealed to the Irish High Court, which referred the matter to the EU Court of Justice for a preliminary ruling. In making the referral, the Irish High Court noted preliminarily that the evidence that U.S. intelligence agencies may intercept personal data was not known at the time the European Commission upheld the Safe Harbor framework. Accordingly, the Irish court requested the guidance of the EU Court as to whether an EU national data protection authority (specifically in this case, the Irish data protection commissioner) could conduct its own investigation to determine whether the U.S. adequately protected personal data despite the EU Commission’s prior decision that the Safe Harbor Framework was adequate.
Although the EU Court of Justice has not yet rendered a decision, in response to the Irish High Court’s request for respective guidance, the EU Court of Justice Advocate General, Yves Bot, who routinely provides non-binding recommendations to the EU Court, has provided his opinion. There, he made clear he believes that the data protection authorities in Ireland as well as any other E.U. Member State have the authority to investigate the adequacy of data protection in transferee countries when claims were made that such transfers violated the fundamental rights of their citizens, notwithstanding the Commission’s previous finding that such data protection was adequate. Advocate General Bot went further to call into question the entire Safe Harbor Framework:
It follows from these factors that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection.
He based his conclusion that the Safe Harbor Framework no longer provides an adequate level of data protection by EU standards on the recent revelations of surveillance activities by U.S. authorities. Thus, the Advocate General concluded that the Data Protection Commissioner of Ireland as well as any other data protection authority in the EU should be able to suspend data transfers between Ireland or another Member State and the United States.
The EU Commission has acknowledged the problems posed by U.S. surveillance activities and points out that negotiations with U.S. authorities are underway to renew and amend the Safe Harbor arrangement in view of the surveillance revelations. The Commission has apparently taken the position that data transfers could continue during these negotiations. The Advocate General flatly rejected that position and opined that national authorities should be able to suspend data transfers in the meantime.
The European Court of Justice has yet to render a decision, or even if it will decide to address the issue of Safe Harbor validity. For now the Safe Harbor Framework remains valid although, if the Court of Justice accepts the position of the Advocate General, at least some individual member states may seek to halt data transfers to the United States, concluding that the Safe Harbor Framework no longer provides an adequate level of protection for their citizens.
The practical effects of the opinion are unclear. In early September, the EU Commission and the U.S. Government announced agreement on a new EU-US data protection “Umbrella Agreement.” Implementation of that agreement, however, is suspended pending passage by the United States of the Judicial Redress Act , which would amend the Privacy Act of 1974 to give EU citizens the right to seek judicial redress before U.S. courts should US authorities unlawfully disclose their personal data. As with many matters before the U.S. Congress, there has not been much movement on this proposed legislation, although the Advocate General’s opinion may stimulate more legislative activity during this Congress. In any event, as recent Federal Trade Commission enforcement activity has made clear, compliance even with existing Safe Harbor Framework requirements remains fragmentary.
If the Court of Justice adopts the Advocate General’s views concerning the Safe Harbor, communications between U.S. and EU companies may not be immediately impacted. If the EU Court declares the Safe Harbor inadequate, multinational companies may be required to find other ways to provide sufficient data protection. Data protection authorities will evaluate whether these protections are sufficient, and each authority will determine how to enforce adequate data protection. Any such actions, however, may be challenged by future litigants, and the conflicting national security and privacy interests of the various countries, organizations, and individuals will continue to be extremely difficult to resolve.