Many multinational companies based in the United States need to export personal data on employees and customers from countries in the European Union. Such data may be transferred on employees to process payrolls and on customers in order to process orders. These exports are able to occur now without violating E.U. data privacy regulations because of a Safe Harbor Agreement between the United States and the European Union. U.S. companies subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation can qualify for the safe harbor and transfer personal data from the E.U. to the U.S., if they agree to abide by certain data privacy protections and that agreement is filed with the Department of Commerce. More details can be found on the Safe Harbor website.
That arrangement may be in jeopardy, however, due to a recent non-binding, but highly influential, opinion by E.U. Court of Justice Advocate General Yves Bot. The opinion came in response to a request by the High Court in Ireland in connection with a case pending before it filed by an Irish Facebook subscriber who contended that transfer of his personal data to U.S. Facebook servers violated Ireland’s data privacy laws. According to the complaint, the U.S. Safe Harbor exemption no longer applied because of the ability of the National Security Agency, the FBI and other U.S. intelligence agencies, to intercept that data. The High Court noted preliminarily that this ability to intercept such data invalidated the E.U. Commission decision accepting the Safe Harbor agreement between the E.U. and the U.S. because this surveillance activity had not been known at the time of the Commission decision. Because of this, the Irish court concluded that it would have to conduct its own investigation to determine whether the U.S. adequately protected personal data. It stayed proceedings and referred to the E.U. Court of Justice the question as to whether it had the authority to make its own investigations into this matter notwithstanding the Safe Harbor agreement
The Advocate General of the Court of Justice agreed. He noted, initially, the authorities in member states had the authority to investigate the adequacy of data protection in transferee countries notwithstanding a Commission finding of such adequacy when claims were made that such transfers violated the fundamental rights of their citizens. Then he went one step further and, more or less, told the Irish court what it could find if it conducted such an investigation:
It follows from these factors that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection.
The Advocate General also solicited comments from the Commission itself on these matters. The Commission acknowledged problems with U.S. data protection given U.S. surveillance activities, noted that it had entered into discussions with the United States on this matter, and stated that data transfers should continue during these negotiations. The Advocate General did not buy this:
I do not share that view. In the meantime, it must be possible for transfers of personal data to the United States to be suspended at the initiative of the national supervisory authorities or following complaints lodged with them.
The impact of all this, of course, depends on what the E.U. Court of Justice ultimately does. In the past, the Court of Justice has normally (but not always) followed the opinion of the Advocate General. If that happens, each member state of the E.U. will be able to suspend data transfers at least until a new safe harbor framework can be put in place. And although the E.U and the U.S. are currently negotiating a new framework, it is far from clear how it will balance the U.S. interests in broad surveillance and the E.U. interests in data privacy.