A recent opinion of the Advocate General to the Court of Justice of the European Union (ECJ) could result in fundamental changes to the way EU businesses contract and share data with parties based in the United States.
EU data protection laws restrict transfer of personal data of EU citizens outside of the EU unless particular safeguards are met. At present, businesses based in the EU can transfer personal data of EU citizens to the U.S., so long as the receiving entity is registered under the U.S. Safe Harbor regime. U.S. entities registered under the Safe Harbor regime are deemed to ensure adequate levels of protection and data transfers are deemed compliant with EU law.
On 23 September 2015, the ECJ Advocate General, Mr. Yves Bot, published his opinion in the case Maximillian Schrems v Data Protection Commissioner, informally known as “Facebook v Europe”. Mr Bot suggested that the Safe Harbor regime does not ensure adequate protections for EU citizens and that data transfers to U.S. entities may be unlawful.
This case may have significant consequences for European companies sending personal data to U.S. companies and U.S. subsidiaries. Moreover, it may influence data transfers to any country outside of the European Union. The concept of Safe Harbor arrangements is at stake.
Mr. Schrems, an Austrian citizen, asked the Irish Data Protection Commissioner to investigate the personal data handled by Facebook Ireland. Using Facebook, his data was sent from an Irish server to a U.S. server. In his view, this was a violation of the European - U.S. Safe Harbor principles since the law and practices of the U.S. offer insufficient protection against surveillance by U.S. authorities.
In an earlier ruling, the Irish Data Protection Authority dismissed this complaint. According to the decision of the European Commission, dated of 26th July 2000, which established the Safe Harbor programme, the U.S. ensures an adequate level of protection of the personal data transferred. Therefore, EU businesses could legally transfer data to entities registered under the Safe Harbor, a position implemented by national data protection authorities in the EU.
This outcome is now questioned by the Advocate General. He argues that the decision finding of the European Commission that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers. Contrary to the European Commission’s point of view, if the national supervisory authorities receive individual complaints, that does not prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases.
If national supervisory authorities were bound by decisions taken by the European Commission, this would inevitably limit their independence. In accordance with their role as guardians of fundamental rights, national supervisory authorities must be able to investigate, with complete independence, complaints submitted to them. This is in accordance with the higher interest of the protection of individuals with regard to the processing of personal data.
Furthermore, he considers the decision of the European Commission that the U.S. ensures an adequate level of protection to be invalid. According to the opinion, evidence of mass indiscriminate surveillance, lack of judicial oversight and the activities of government authorities revealed by Edward Snowden, indicate that the U.S. does not provide an adequate level of protection for the rights of individuals as required by EU law. According to the Advocate General, the European Commission should have suspended the Safe Harbor programme.
Although the opinion is non-binding, the ECJ often follows the view of the Advocate General and judgment will follow in due course.
Furthermore, the opinion is published at a crucial time with the U.S. and the European Commission engaged in ongoing discussions regarding a revised Safe Harbor Agreement. The parties have indicated that discussions would be concluded by the end of 2015. It appears that the main unresolved issue in discussions surrounds data access by U.S. authorities; a key question in the Facebook v Europe case. Accordingly, the outcome of the case may shape those discussions and any revised Safe Harbor arrangement.
In addition, any new European – U.S. Safe Harbor Agreement will be an important template regarding any non EU-country. Therefore, the ECJ case and the Safe Harbor discussions are also of relevance to businesses in other regions.
Whatever the outcome, fundamental changes to the Safe Harbor regime are on the horizon.