The U.S. Safe Harbor scheme has been declared invalid by the Advocate General who is advising the European Court (CJEU) in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
Whilst the opinion (which is here) is non-binding, it has sent shock waves through companies that rely on Safe Harbor to ensure that their transfers of personal data from Europe to the U.S. are compliant with European law. The future of Safe Harbor in its current form is now more uncertain than ever.
In this article we explain what the opinion means for businesses and how they should be preparing now, in case the CJEU judgment follows the Advocate General’s opinion, which we understand will be issued in early October.
In 2013, Edward Snowden leaked details of mass surveillance activities of European individuals undertaken by U.S. authorities, which was widely viewed as violating European rules. In the wake of these revelations, privacy activist Maximilian Schrems complained to the Irish Data Protection Commissioner (Irish DPC) about the transfer of data from Facebook Ireland to servers in the U.S.
Schrems argued that the U.S. authorities’ access to personal data meant that Facebook did not ensure an adequate level of protection as required by European law. He asked the Irish DPC to investigate. This was refused as the transfer was made under Safe Harbor – a mechanism for EU-U.S. data transfers that the European Commission had already deemed to be adequate (Decision 2000/520).
Schrems appealed the decision to the Irish High Court, which asked the CJEU whether national data protection authorities are bound by adequacy decisions of the European Commission or, alternatively, whether they may and/or must conduct their own investigations in certain circumstances.
On 23 September 2015 the Advocate General published his opinion in the case. The opinion is non-binding, but the CJEU follows the Advocate General’s guidance in the majority of cases. The opinion stated that:
- Safe Harbor is invalid;
- mass and indiscriminate surveillance activities by U.S. authorities is a violation of the EU Data Protection Directive and the fundamental rights afforded to European citizens under the Charter of Fundamental Rights of the EU; and
- a data protection regulator may exercise its independence to suspend a transfer if it finds that the protections offered to European individuals are inadequate – i.e. it is not necessarily bound by a European Commission decision of adequacy.
What does this mean
If the CJEU supports the opinion of the Advocate General, what’s our view on what happens next?
- It’s doubtful that the Safe Harbor arrangement will be scrapped altogether: Given overriding economic and political considerations (including the on-going free trade agreement negotiations between the EU and the U.S.) it seems doubtful that the Safe Harbor arrangement will be scrapped altogether. It is more likely that a decision of the CJEU supporting the Advocate General’s opinion will accelerate on-going discussions between the EU and U.S. for a revised Safe Harbor framework and/or other U.S.-EU arrangements to address the issues identified (namely the perceived disproportionate access to European individuals’ personal data by U.S. authorities).
- U.S. technology companies may have to increase protective measures: An invalidity decision will most likely affect technology companies providing online and cloud services that are the subject of requests for access to personal data by U.S. authorities. For these companies in particular, regulators may require additional protective measures to be put in place for data transfers to the U.S., such as Binding Corporate Rules (for intra-group transfers) or European Commission approved model clauses which ensure that European individual’s rights are adequately protected.
- Greater scrutiny by regulators:
Regulators may independently scrutinise and suspend Safe Harbor transfers if there are doubts about adequacy. Therefore, companies seeking to rely on Safe Harbor will need to undertake additional due diligence on U.S.-EU data transfers to ensure adequate protection and that there are no violations by their U.S. processors, or face potential regulatory action.
Practical steps you can take now
From a UK perspective we recommend considering the following steps:
- Carry out due diligence: Investigate the actual measures that your U.S. data processors have in place to provide an adequate level of protection for personal data that you control.
- Future-proof your data processing agreements: Include contractual contingencies in case Safe Harbor is declared invalid by the CJEU, or if additional compliance steps are needed to rely on it.
- Consider putting in place alternative data transfer solutions now: Consider putting in place model contracts or Binding Corporate Rules.
Emily Jones, UK Data Privacy Partner at Osborne Clarke says, “We need to wait for the final court judgment in a few weeks’ time but the opinion from Advocate General, Yves Bot, has potentially huge implications on businesses. Every European organisation that shares personal data with U.S. companies should take a look at their contracts now and evaluate how they process individual’s records to consider what alternatives to Safe Harbor they could put in place if the Safe Harbor scheme is withdrawn, so they can avoid regulatory action.”