Today an important statement was issued endangering the free flow of personal data from the European Union to the United States. Advocate General Bot issued his opinion to the Court of Justice of the European Union (CJEU) in the Facebook case on whether or not a national supervisory authority has the right to prohibit transfers of personal data to the United States, even if the recipient is Safe Harbor certified. Safe Harbor is a framework, endorsed by the European Commission fifteen years ago, allowing for the transfer of personal data from the EU to undertakings in the US that adhere to its principles. The Advocate General also advises the CJEU to declare the Safe Harbor scheme invalid. If followed by the judges, this opinion may cause global organisations to rethink their cross-border data transfers.
In the Opinion delivered today, 23 September 2015, Advocate General Bot concluded that:
- the existence of a European Commission Decision does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred, and, where appropriate, from suspending the transfer of that data;
- The Commission’s Decision on the adequacy of the protection provided by the Safe Harbor privacy principles is invalid.
The Opinion is based on a complaint to the data protection authority in Ireland, that Facebook Ltd keeps its subscribers’ personal data on servers located in the US whereas, it was put forward, the law and practices in the US do not offer adequate protection against State surveillance. The Irish Commissioner considered that there was no requirement to investigate the complaint due to Decision 2000/520, whereby the Commission found that under Safe Harbor, the US ensured an adequate level of protection of the personal data transferred.
The proceedings were brought to the High Court for judicial review where it concluded that once personal data is transferred to the US, the NSA and similar agencies are able to access it in the course of mass surveillance and interception of such data. This reasoning was driven by the revelations based on leaked documents from Edward Snowden back in June 2013, which confirmed that US authorities can have access on a mass basis to personal data of individuals living in the EU. The High Court invited the Court of Justice of the European Union (CJEU) to clarify the landscape.
In summary, Advocate General Bot concluded that national supervisory authorities must be able to investigate where they receive a complaint that calls the level of protection ensured by a third country into question, even where the Commission has carried out an assessment and decided an adequate level of protection is provided. The reasoning continues that not only is the Commission informed that its finding in Decision 2000/520 is subject to criticism but is also itself entering negotiations to remedy the situation. Ultimately, the Advocate General’s view is that a national supervisory authority must enjoy an independence, allowing them to form their own opinion, free from external influence.
Impact for businesses?
What is the impact of this opinion for businesses active in data sharing overseas? We must keep in mind that this is a non-binding Opinion of the Advocate General to the Court, however, if the CJEU follows the same reasoning, the practical impact for business could be quite significant.
- If a national supervisory authority has the power to investigate and suspend the transfer of the personal data in question to the United States, irrespective of the Safe Harbor framework that has been endorsed by the Commission, there is a new and potentially substantial obstacle for US companies to overcome in order to gain access to EU data. For instance, US companies may need separate consent arrangements or transfer agreements before EU citizens and companies feel comfortable sharing their personal data.
- Further, it’s possible that we find ourselves in a highly fragmented environment given the potential for challenges from 28 national supervisory authorities if it is considered that a transfer does not provide adequate protection for European citizens.
Surely the Opinion begs more questions than provides answers at a time where Europe is trying to clarify how data should be protected by establishing a common set of rules with the draft EU General Data Protection Regulation.