The Safe Harbor scheme may not provide adequate safeguards to protect the privacy of personal data transferred to the US from the EU, according to a recent opinion by the Advocate General (AG).

The AG’s opinion, if followed by the EU’s Court of Justice, would invalidate a ruling in 2000 by the European Commission (Decision 2000/520) that Safe Harbor did ensure an adequate level of protection.

In the AG’s opinion, this decision made excessive use of derogations including some that allow the Safe Harbor principles not to be followed in certain circumstances, mainly in the interest of national security.

If Safe Harbor is ruled inadequate because it allows the personal data of EU citizens stored in the US to be accessed by NSA and other security agencies, thousands of companies will have to find alternative ways to ensure a lawful transfer of personal data from the EU to the US.

The Safe Harbor scheme is a set of principles and rules for processing personal data that was developed in the US. US organisations wishing to transfer personal data from the EU to the US may subscribe to the scheme voluntarily with the US Department of Commerce. A list of all participating organisations can be found here.

Safe Harbor was necessitated by EU data protection laws which prohibit the transfer of personal data to a country outside the EU unless the country ensures an "adequate level of protection of personal data". Without Safe Harbor, the US does not provide an adequate level of protection.

Many companies store their employees' and clients' data in the USA, especially US-owned companies using IT systems at the US headquarters to administer HR and CRM data, and European companies outsourcing their IT systems to cloud service providers which, more often than not, use US-based servers to store the data – including personal data.

The AG’s opinion relates to a case brought by an Austrian student, Max Schrems, about Facebook’s transfer of his personal data to the US for storage on its US servers.

Law: Advocate General’s opinion in Maximilian Schrems v Data Protection Commissioner(Case C- 362/14)