25 September 2015

Data transfers to the U.S. - Safe Harbor principle in the line of fire

A recent opinion of the Advocate General to the Court of Justice of the European Union (ECJ) could result in fundamental changes to the way EU businesses contract and share data with parties based in the United States.

EU data protection laws restrict transfer of personal data of EU citizens outside of the EU unless particular safeguards are met. At present, businesses based in the EU can transfer personal data of EU citizens to the U.S., so long as the receiving entity is registered under the U.S. Safe Harbor regime. U.S. entities registered under the Safe Harbor regime are deemed to ensure adequate levels of protection and data transfers are deemed compliant with EU law.

On 23 September 2015, the ECJ Advocate General, Mr. Yves Bot, published his opinion in the case Maximillian Schrems v Data Protection Commissioner, informally known as “Facebook v Europe”. Mr Bot suggested that the Safe Harbor regime does not ensure adequate protections for EU citizens and that data transfers to U.S. entities may be unlawful.

This case may have significant consequences for European companies sending personal data to U.S. companies and U.S. subsidiaries. Moreover, it may influence data transfers to any country outside of the European Union. The concept of Safe Harbor arrangements is at stake.

Mr. Schrems, an Austrian citizen, asked the Irish Data Protection Commissioner to investigate the personal data handled by Facebook Ireland. Using Facebook, his data was sent from an Irish server to a U.S. server. In his view, this was a violation of the European - U.S. Safe Harbor principles since the law and practices of the U.S. offer insufficient protection against surveillance by U.S. authorities. 

In an earlier ruling, the Irish Data Protection Authority dismissed this complaint. According to the decision of the European Commission, dated of 26th July 2000, which established the Safe Harbor programme, the U.S. ensures an adequate level of protection of the personal data transferred. Therefore, EU businesses could legally transfer data to entities registered under the Safe Harbor, a position implemented by national data protection authorities in the EU.

This outcome is now questioned by the Advocate General. He argues that the decision finding of the European Commission that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers. Contrary to the European Commission’s point of view, if the national supervisory authorities receive individual complaints, that does not prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases.

If national supervisory authorities were bound by decisions taken by the European Commission, this would inevitably limit their independence. In accordance with their role as guardians of fundamental rights, national supervisory authorities must be able to investigate, with complete independence, complaints submitted to them. This is in accordance with the higher interest of the protection of individuals with regard to the processing of personal data.

Furthermore, he considers the decision of the European Commission that the U.S. ensures an adequate level of protection to be invalid. According to the opinion, evidence of mass indiscriminate surveillance, lack of judicial oversight and the activities of government authorities revealed by Edward Snowden, indicate that the U.S. does not provide an adequate level of protection for the rights of individuals as required by EU law. According to the Advocate General, the European Commission should have suspended the Safe Harbor programme.

Although the opinion is non-binding, the ECJ often follows the view of the Advocate General and judgment will follow in due course.

Furthermore, the opinion is published at a crucial time with the U.S. and the European Commission engaged in ongoing discussions regarding a revised Safe Harbor Agreement. The parties have indicated that discussions would be concluded by the end of 2015. It appears that the main unresolved issue in discussions surrounds data access by U.S. authorities; a key question in the Facebook v Europe case. Accordingly, the outcome of the case may shape those discussions and any revised Safe Harbor arrangement. 

In addition, any new European – U.S. Safe Harbor Agreement will be an important template regarding any non EU-country. Therefore, the ECJ case and the Safe Harbor discussions are also of relevance to businesses in other regions.

Whatever the outcome, fundamental changes to the Safe Harbor regime are on the horizon.

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Executive Summary The US International Trade Commission (“ITC”) recently suspended enforcement of its remedial orders in a patent investigation pending the appeal of a decision by the U.S...

    14 September 2020

    As of May 1, 2020, parties making a voluntary notice filing with CFIUS will have to pay a filing fee. There is no fee for declarations under the mandatory filing regime. The Treasury Department’s...

    26 May 2020

    As of May 1, 2020, parties making a voluntary notice filing with CFIUS will have to pay a filing fee. There is no fee for declarations under the mandatory filing regime. The Treasury Department’s...

    19 May 2020

    There is no doubt China deals have been more difficult to clear during the Trump years than they were previously. A database maintained by KWM shows a clearance rate of over 95% during the final...

    08 May 2020

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.