25 September 2015

Data transfers to the U.S. - Safe Harbor principle in the line of fire

A recent opinion of the Advocate General to the Court of Justice of the European Union (ECJ) could result in fundamental changes to the way EU businesses contract and share data with parties based in the United States.

EU data protection laws restrict transfer of personal data of EU citizens outside of the EU unless particular safeguards are met. At present, businesses based in the EU can transfer personal data of EU citizens to the U.S., so long as the receiving entity is registered under the U.S. Safe Harbor regime. U.S. entities registered under the Safe Harbor regime are deemed to ensure adequate levels of protection and data transfers are deemed compliant with EU law.

On 23 September 2015, the ECJ Advocate General, Mr. Yves Bot, published his opinion in the case Maximillian Schrems v Data Protection Commissioner, informally known as “Facebook v Europe”. Mr Bot suggested that the Safe Harbor regime does not ensure adequate protections for EU citizens and that data transfers to U.S. entities may be unlawful.

This case may have significant consequences for European companies sending personal data to U.S. companies and U.S. subsidiaries. Moreover, it may influence data transfers to any country outside of the European Union. The concept of Safe Harbor arrangements is at stake.

Mr. Schrems, an Austrian citizen, asked the Irish Data Protection Commissioner to investigate the personal data handled by Facebook Ireland. Using Facebook, his data was sent from an Irish server to a U.S. server. In his view, this was a violation of the European - U.S. Safe Harbor principles since the law and practices of the U.S. offer insufficient protection against surveillance by U.S. authorities. 

In an earlier ruling, the Irish Data Protection Authority dismissed this complaint. According to the decision of the European Commission, dated of 26th July 2000, which established the Safe Harbor programme, the U.S. ensures an adequate level of protection of the personal data transferred. Therefore, EU businesses could legally transfer data to entities registered under the Safe Harbor, a position implemented by national data protection authorities in the EU.

This outcome is now questioned by the Advocate General. He argues that the decision finding of the European Commission that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers. Contrary to the European Commission’s point of view, if the national supervisory authorities receive individual complaints, that does not prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases.

If national supervisory authorities were bound by decisions taken by the European Commission, this would inevitably limit their independence. In accordance with their role as guardians of fundamental rights, national supervisory authorities must be able to investigate, with complete independence, complaints submitted to them. This is in accordance with the higher interest of the protection of individuals with regard to the processing of personal data.

Furthermore, he considers the decision of the European Commission that the U.S. ensures an adequate level of protection to be invalid. According to the opinion, evidence of mass indiscriminate surveillance, lack of judicial oversight and the activities of government authorities revealed by Edward Snowden, indicate that the U.S. does not provide an adequate level of protection for the rights of individuals as required by EU law. According to the Advocate General, the European Commission should have suspended the Safe Harbor programme.

Although the opinion is non-binding, the ECJ often follows the view of the Advocate General and judgment will follow in due course.

Furthermore, the opinion is published at a crucial time with the U.S. and the European Commission engaged in ongoing discussions regarding a revised Safe Harbor Agreement. The parties have indicated that discussions would be concluded by the end of 2015. It appears that the main unresolved issue in discussions surrounds data access by U.S. authorities; a key question in the Facebook v Europe case. Accordingly, the outcome of the case may shape those discussions and any revised Safe Harbor arrangement. 

In addition, any new European – U.S. Safe Harbor Agreement will be an important template regarding any non EU-country. Therefore, the ECJ case and the Safe Harbor discussions are also of relevance to businesses in other regions.

Whatever the outcome, fundamental changes to the Safe Harbor regime are on the horizon.

Digital Intelligence

Digital innovation will be a game changer across a wide variety of industries globally. Our Digital Intelligence hub contains a number of resources to help you embrace and face digital disruption head on.

Digital Intelligence

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter Share on Google+
    You might also be interested in

    The European Commission has formally adopted the EU-US Privacy Shield; however will this provide legal certainty for transatlantic data transfers?

    19 July 2016

    Safe Harbor agreements and personal data transfers: King & Wood Mallesons report

    15 October 2015

    Companies, such as Facebook or Google, can no longer base the transfer of personal data to servers in the US on the so called “Safe Harbor Decision” of the European Commission.

    07 October 2015

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.