Data Protection: EU court advised to declare EU-US Safe Harbor invalid

In an important case involving Facebook, and instigated by an Austrian student in response to the Snowden revelations about US security agency access to mass data, the Advocate General (“AG”) to the Court of Justice of the European Union (“CJEU”), the highest court in the EU, today released a (non-binding) opinion that “Safe Harbor” should be declared invalid. If the CJEU follows this opinion, there will be significant repercussions for EU-to-US data flows. 

What is Safe Harbor? 

The data protection law of each member of the European Union stems from the European Data Protection Directive (“Directive”). Under Article 25 of the Directive personal data may not be transferred outside Europe unless the data controller (the ”owner” of the data) assures an ”adequate level of protection”. 

The European Commission has created a "safe list” of countries, transfers to which automatically meet the adequacy standard set in Article 25. However, the US is a notable exception from this list. Instead, US entities are authorized to join the Safe Harbor scheme. 

To join Safe Harbor, which was introduced in 2000, a US company self-certifies to the US Department of Commerce (“DoC”), which administers the programme, that it adheres to the seven Safe Harbor principles, and makes a public declaration of this adherence. The company will then be added to the publicly available Safe Harbor list. Once added to the Safe Harbor list the business is deemed to have adopted an adequate level of protection for transfers of personal data to the US from EU member states and, as such, transfers can take place in compliance with EU law. To maintain membership in Safe Harbor, a company must resubmit its self-certification annually. 

Failure to adhere to the principles would lay a member open to FTC deceptive trade practices charges. 

Background to the Case: Schrems v Data Protection Commissioner of Ireland 

Facebook is a signatory to Safe Harbor and transfers European data to servers within the US. Maximillian Schrems, an Austrian, was a Facebook user. He lodged a complaint with the Irish Data Protection Commissioner (“Commissioner”) alleging that in the light of the revelations made in 2013 by Edward Snowden concerning US intelligence service indiscriminate access to mass data, the US could not be considered to offer any real protection for data transferred to that country. The Commissioner rejected the complaint, saying that in the light of Safe Harbor he had no power to investigate. 

Mr Schrems then brought proceedings in the High Court of Ireland against the Commissioner, in effect trying to force him to investigate Facebook and its membership in Safe Harbor, and that court referred the matter to the CJEU. 

The AG’s Opinion 

Following a detailed constitutional analysis of the underlying treaties and legislative instruments, the AG gave his view that the existence of Safe Harbor should not reduce the Commissioner’s powers to investigate possible breaches. 

He also thought that the European Commission’s decision approving the Safe Harbor scheme is invalid. 

The AG’s criticism of Safe Harbor centred on his view that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the [European] Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection”. Thus, Safe Harbor has been implemented in a manner which does not satisfy the requirements of the EU Charter of Fundamental Rights (a key constitutional document within Europe guaranteeing the right to a private life (Article 7) and the right to data protection (Article 8)). There was thus an unwarranted interference with these rights. This was also contrary to the principle of proportionality, in particular because the surveillance carried out by the US intelligence services was, he felt, mass, indiscriminate surveillance. The existing oversight of the security services’ access to data within the US was insufficient, he felt, to ensure that there was an “effective remedy” for the fundamental rights – another right assured by the Charter (Article 47). 

Important: This is not yet a binding decision 

This is not yet a binding decision. The CJEU is now deliberating and may not follow the AG’s opinion; they do not always do so. 

A decision (affirming the opinion or ignoring it) will come within a matter of months. 

The wider context 

In any case, Safe Harbor is in the process of being renegotiated between the US and the EU and no doubt this opinion will feed into that process. 

Moreover, the EU is currently in the process of renewing its wider data protection legislation with the adoption of a Data Protection Regulation. A text for this is likely to be finalised by the end of 2015 or early in 2016 (although there have been earlier slippages). 

What does it mean for companies relying on Safe Harbor? 

As there is not yet a decision, transfers sent to the US under Safe Harbor are still lawful. 

The position though should be kept under review and consideration could be given to removing any uncertainty as to a long-term compliance strategy. For example, by moving now to one of the other methods of ensuring compliance with EU rules such as entering into approved contacts (“standard contractual clauses”) or adopting authorised “binding corporate rules”. (See this white paper for a summary of all methods available to remain compliant with EU transfer rules.) This is an issue not only for members of Safe Harbor, but also (and primarily) for EU entities sending data to the US in reliance on such membership. 

What does it mean for companies that use other methods for legitimising transfers to the US? 

As just mentioned, Safe Harbor is only one of many methods that EU companies can use to send data to the US. It is only Safe Harbor that is in danger of being removed as an option. 

Even if the AG’s opinion is confirmed in a binding decision of the CJEU, and Safe Harbor does become “invalid”, then companies that have relied on “standard contractual clauses” or “binding corporate rules” (or other methods mentioned in our white paper) will not be affected.