The Advocate General has, today, published an Opinion that the US Safe Harbor is invalid. As Safe Harbor is relied on by many companies to permit the transfer of personal data from Europe to the US, today's decision creates a huge potential roadblock for international business. It also raises questions as to how best to legitimise the international transfer of personal data and whether alternatives to Safe Harbor now need to be adopted. As it stands Safe Harbor remains a valid basis for data export. Today's Opinion is not the final word. That will be a decision for the Court.
The Story so Far...
The background is that Max Schrems (an Austrian citizen and privacy campaigner) made a complaint against Facebook. His complaint was that, in the light of the Edward Snowden revelations of 2013, the law of the US offered no real protection against surveillance. Facebook's EU headquarters are based in Ireland. The Irish Data Protection Authority rejected the complaint on the basis that Safe Harbor applied, and since this was pursuant to an EU Commission decision, that should be an end of the matter.
Schrems then pursued the complaint to the High Court of Ireland who referred the matter to the Court of Justice of the European Union (CJEU). Today's Opinion is issued by CJEU's Advocate General. This is a preliminary step in the Court process. It is not binding on the Court of Justice; the Court will make its own decision in due course.
The Opinion addresses two key questions:
Can a DPA investigate on a Safe Harbor issue?
The first question is whether, in the context of there being a Commission decision on Safe Harbor, can local Data Protection Authorities still investigate complaints relating to it. Or does the existence of the Commission decision trump the local DPAs' powers?
Answer: the local DPAs retain independent rights to investigate complaints including in connection with data transfers pursuant to US Safe Harbor.
The Advocate General said that although DPAs are legally bound by the Commission decision, there must be an independent right to investigate and ban data exports where appropriate. The Advocate General also highlighted the fact that these rights are protected in the EU by the Charter of Fundamental Rights. Effectively, the EU Charter elevates data protection to something akin to a human right.
Is Safe Harbor invalid?
Answer: Yes! It is invalid!
The Advocate General says that the law and practice of the US allows large scale collection of personal data of EU citizens without those citizens benefiting from effective judicial protection. On this basis, Safe Harbor does not contain sufficient guarantees and fails to satisfy the requirements of the Data Protection Directive or the Charter of Fundamental Rights. A lot of this is driven by the Snowden revelations in 2013 and the lack of legal remedies for EU citizens in the US.
Negotiations on Safe Harbor
As you probably know, the EU has, for some time, been negotiating a series of upgrades to the Safe Harbor regime to better meet EU standards. These negotiations are still underway and we are expecting a deal on this to be agreed fairly soon. However, until that happens, we only have the Advocate General's opinion.
What does this mean?
This Advocate General's Opinion is probably the most tangible impact of the "Snowden Effect". However, it is not a huge surprise. It would have been difficult for the Advocate General to say anything else as the EU has already accepted that Safe Harbor is deficient. That's why the EU is negotiating for an upgrade.
However, this Opinion is not binding on the Court of Justice. The Court may decide differently. Nevertheless the risks of scrutiny may be greater in countries like Germany where some of the DPAs have already been vocal in their criticism of Safe Harbor.
It is also pretty clear which way the wind will blow. If the issue is not fixed, this will be a huge issue for international businesses who need to transfer data across their international operations or to vendors. For example, anyone using a US cloud-based vendor for data processing will potentially, need a suite of model contracts (i.e. data transfer agreements). This is one other basis on which to legitimise the international transfer of data. It is not clear what additional protection model contracts provide over Safe Harbor, but this is more of a political and philosophical debate. Companies may also look again at Binding Corporate Rules (another "international data passport").
In the meantime the Attorney General's opinion raises the question as to how best to legitimise international data transfers and whether additional steps are required to insure you against the risk of non-compliance.