The Advocate General of the Court of Justice of the European Union (CJEU), Yves Bot, has issued his opinion on a recent data protection case, raising concerns over the adequacy of the Safe Harbor Privacy Principles in the transfer of personal data to the United States. This opinion could lead to considerable issues not only for social media platforms, but for all businesses.    

The case

As our colleagues have highlighted here, the Advocate General’s opinion is in response to a complaint lodged by Maximilian Schrems before the Irish Data Protection Authority (Irish DPA). Mr Schrems challenged the transfer of EU subscribers’ personal data from servers in Ireland to a US counterpart, which is Safe Harbor certified. The Irish DPA dismissed the complaint in light of the fact that the transfer of personal data is allowed when the receiving country ensures an adequate level of protection, recognized for US companies that have committed to comply with the Safe Harbor Privacy Principles.

The Safe Harbor Principles are a framework aimed at ensuring the compliance of US companies with the European Union standard of protection for personal data. The Principles were approved by the EU Commission, which deemed that US companies committing to such principles were offering an adequate level of protection to personal data, and as such, no consent from individuals would be necessary to allow such data transfers.

Following the positioning of the Irish DPA, Mr. Schrems escalated the matter to the High Court, which then invited the CJEU to clarify whether a Commission decision (such the one upholding the Safe Harbor Principles) could prevent a national supervisory authority from investigating allegations that the third country does not ensure an adequate level of protection and thereby suspend the contested transfer of data.

The position of the Advocate General

In this context, the Advocate General intervened, arguing that the power of investigation of national supervisory authorities shall remain intact and supervisory authorities are therefore entitled to suspend the transfer of the personal data to the US, irrespective of the general assessment made by the Commission, which is, in the Advocate General’s opinion, dated.

The Advocate General stressed the importance of independence for the national supervisory authorities and, considering the Safe Harbor scheme invalid, requested the Commission to rethink the cross border transfer of personal data to the US, and to enter into negotiations.

Possible consequences of the opinion

The opinion itself has no direct consequences as it is not binding on the CJEU, which might take a different view. However, should the CJEU follow this position, the impact on businesses could be significant. The US Safe Harbor website states that there are more than 5,000 companies adhering to the scheme, including almost all major multinational companies. Should the position of the Advocate General be confirmed, these companies would have to find another legal basis to transfer data from the EU to the US, by way of the Binding Corporate Rules or Standard Contractual Clauses, for example. Also, if the national supervisory authorities are recognized as having the power to investigate and suspend the transfer of personal data irrespective of the Commission decision, the EU framework might become especially fragmented.

With regards to Italy, the Italian DPA has never challenged the validity of the Safe Harbor Commission. However, if the decision of the CJEU follows the opinion of the Advocate General, the whole flow of business between the EU and the US might be considerably disrupted; not only for social media platforms, but for any company whose business is based on the processing of personal data – which could include most companies in the world.