The Safe Harbor arrangement for the transfer of personal data from the EU to the US will not hold long in its current form. The European Court of Justice (ECJ) will decide on a case about the legality of Safe Harbor in the coming months. If the ECJ follows the recent opinion of Advocate General Bot, the 15-year old Safe Harbor arrangement will be rendered invalid. Data protection authorities of EU member states will also have more power to suspend transfers if they consider them non-compliant with the adequacy requirements for international data transfers. European organisations that rely on the processing of personal data in the US (for instance, having central HR systems or customer databases in the US, having personal data processed by a US provider or storing data in the cloud) should immediately review their data flows. We advise these companies to consider alternative cross-border transfer solutions for compliance with EU data protection law, for example through Binding Corporate Rules or EC model contractual clauses. The same goes for American companies doing business in the EU.
On 23 September 2015, the Advocate General of the ECJ delivered anon-binding but highly influential opinion in Maximillian Schrems v Data Protection Commissioner. The case relates to the transfer of personal data to the US under the Safe Harbor arrangement.
The Advocate General considered the validity of the EU-US Safe Harbor scheme, and the authority of the European national data protection authorities to review the data transfers under this scheme. The Advocate General came to the following conclusions:
- National data protection authorities are not prevented frominvestigating data transfers against the adequacy of a non-EU country’s level of data protection laws or, where appropriate, fromsuspending the transfer of that data.
- The EC Decision 2000/520/EC on the adequacy of protection under Safe Harbor is invalid.
Is this a final decision of ECJ?
No, the opinions of the Advocate General are not binding for ECJ and the final judgment might still diverge significantly from this opinion. However, the ECJ is closely following the opinions of the Advocate General in approximately 80% of the cases. The ECJ will issue a formal ruling on this matter within three to six months.
The ECJ decision will be guiding for all national data protection authorities and courts in reviewing the validity of transfers based on Safe Harbor or other adequacy mechanisms.
What is the Safe Harbor Framework?
The EU data protection law prohibits transfers of personal data to countries outside the EU where protection of personal data does not comply with the EU standards – including to the US. The EU-US Safe Harbor Framework was agreed in 2000 and formalised by the European Commission’s (EC) decision 2000/520/EC. It permits the transfer of personal data of Europeans to US companies that are self-certified under the Safe Harbor Privacy Principles and registered with the US Department of Commerce. Compliance is monitored and enforced by the Federal Trade Commission (FTC).
The scheme has always faced pressure from the European Parliament, the EU data protection authorities, and human rights activists for failure to provide sufficient safeguards to protect the personal data of Europeans. In March 2014, the European Parliament adopted aresolution calling on the European Commission to immediately suspend the Safe Harbor agreement, which was not followed by the EC following the Snowden revelations.
What are the main facts of this case?
After the Snowden revelations, an Austrian PhD student Maximillian Schrems filed a complaint to the Irish Data Protection Commissioner (Irish DPA) against Facebook Ireland, objecting to the fact that its servers with personal data are located in the US. He argued that there is no protection of the personal data of EU citizens against state surveillance in the US. The Irish DPA rejected the claim, stating that EC Decision 2000/520/EC about adequacy of Safe Harbor was binding and it had no authority to review the claim. Schrems appealed to the Irish High Court, which then referred the case to the ECJ.
What did the Advocate General say about the powers of national data protection authorities?
The Advocate General denies an absolute binding character of EC decisions establishing that a third country ensures an adequate level of protection of personal data. He claims that although the national supervisory authorities are bound by the decision of the EC, they cannot reject complaints without an examination of their merits. If a national data protection authority considers that a transfer of data undermines the protection of the personal data of EU citizens, it has the power to suspend that transfer, irrespective of the general assessment made by the EC in its decision. The ECJ’s press release summarised that where “systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU [including the protection of personal data]”.
Why did the Advocate General consider the Safe Harbor decision invalid?
According to the Advocate General Bot, the 2013 Snowden revelations demonstrated that US law and practice allow the large-scale generalised collection of citizens’ personal data transferred under the Safe Harbor scheme. This leads to the conclusion that the Safe Harbor scheme does not ensure adequate protection of personal data as required by the Data Protection Directive 95/46/EC, and Decision2000/520/EC is no longer valid.
The reasoning for this is that EU citizens have no appropriate remedy against the processing of their personal data for purposes other than those for which it was initially collected and then transferred to the US. The interference with fundamental rights of EU citizens is wide-ranging and is particularly serious, given the large number of users concerned and the quantities of data transferred. Those factors, associated with the secret nature of the US authorities’ access to the personal data transferred to the companies in the US, make the interference extremely serious.
The lack of oversight available to EU citizens in respect of such data processing also interferes with the right of EU citizens to an effective remedy as guaranteed by the European Charter.
Can companies still rely on Safe Harbor?
At this stage, the adequacy of Safe Harbor still stands and it remains a valid transfer mechanism for personal data to the US.
The ECJ might disagree with the reasoning and conclusions of the Advocate General altogether and confirm the vision of the Irish DPA that the Safe Harbor decision is mandatory and binding for national data protection authorities. In this case, we should only await the results of the negotiations between the EU and the US on the amendment of the Safe Harbor regime.
However, if the ECJ takes over the view of the Advocate General, either partially on in full, the following developments are expected:
- If the ECJ declares EC Decision 2000/520/EC on Safe Harbor invalid, all data transfers to the US that relied on the Safe Harbor mechanism would be unlawful with direct effect. This means that the companies would need to have alternative legal grounds for international data transfers to the US (see below).
- If the ECJ confirms that the data protection authorities may (or are even mandated to) investigate the adequacy of a third country, we can expect an explosion of requests of individuals challenging Safe Harbor and other adequacy decisions in national data protection authorities in individual transfers.
What should my company do?
US and European companies are advised to immediately review their cross-border data flows to the US and to consider alternative mechanisms that may provide more stable methods of transferring data. The following relevant alternatives for the transfer of personal data to the US are available:
- Binding Corporate Rules (BCR) for intra-group data transfers. BCR is a well-established and reliable method for cross-border transfers of personal data currently implemented by more than 70 multinationals in order to ensure adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals for all transfers of personal data protected under a European law.
- EC Model Contracts Clauses for the transfer of personal data to third countries (preferred for third parties). The clauses are model provisions on data protection approved by the EC. If adopted in unmodified form, the clauses generally permit transfers to a non-EEA country without further approval by a national data protection authority.
- Consent of data subject. However, consent may be revoked by a data subject at any time and is not considered to be a valid basis for the transfer of personal data of employees.
However, even these solutions for transfers to the US might come under pressure due to the US’s massive and indiscriminate surveillance practices and lack of judicial redress mechanisms for European citizens. In any case, it is safe to say that in lieu of a potential ECJ court ruling on the Schrems case, the EU data protection authorities will maintain a critical stance against the working of any data transfer mechanism. EU data protection authorities will be able to scrutinise individual cases about adequate level of protection in the third country and suspend the contested transfer of data.
The ECJ will issue a final ruling in the coming months, but it will neither change the situation of the mass surveillance of personal data by the US authorities nor will it provide for adequate judicial redress for the EU citizens in the US.
The Safe Harbor agreement is being currently renegotiated by the US and EU, and these negotiations are progressing very slowly. The amended Safe Harbor is expected to address, among other things, the national security access issues that have raised concerns. The C‑362/14 case may provide an additional incentive to round up the negotiations rapidly – possibly even before the ECJ will render its final decision.