In a non-binding opinion, a European Union Advocate General recommended to the European Court of Justice (“CJEU”) that it find the EU-U.S. Safe Harbor program invalid. Advocate General Yves Bot’s recommendations included:
- Giving EU national data protection authorities the ability to investigate and suspend data transfers to a non-EU country on the grounds that the county’s laws provide inadequate protection for the data, even if the European Commission (“EC”) had previously determined that such laws were adequate. The EU-U.S. Safe Harbor framework had previously been deemed adequate by the EC.
- Invalidating the EU-U.S. Safe Harbor framework, due primarily to U.S. intelligence agencies’ wide access to European citizens’ data stored in the U.S.
The Advocate General’s recommendation states that “indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the [Charter of Fundamental Rights of the EU].” The CJEU generally follows the recommendations of its Advocates General (experienced lawyers assigned to present an opinion on a case to the court), though there have been exceptions in the past, including the significant 2014 Right to Be Forgotten decision. Invalidation of the agreement would have far-reaching consequences for companies that have relied (and continue to rely) on the Safe Harbor framework to transfer data of EU citizens to the U.S.
The case was referred to the CJEU after Austrian privacy advocate Max Schrems lodged a complaint with the Irish Data Protection Commission in June of 2013, claiming the law and practices of the United States offer no real protection against the U.S. government’s surveillance of data kept in the U.S. The claim followed Edward Snowden’s revelations concerning U.S. intelligence agencies’ practices and the authorization for such practices by the secret U.S. Foreign Intelligence Surveillance Court (FISC). The case made its way to the Irish High Court, which, in turn, referred various questions to the CJEU.
The European Commission’s Decision 2000/520/EC states that the EU-U.S. Safe Harbor framework provides a level of data protection sufficient to permit transfers of personal data to its participants. The court was tasked with determining whether 2000/520/EC prevents national Data Protection Commissions from taking action based on the inadequacy of a third country’s data practices. AG Bot concluded that 2000/520/EC does not prevent a national data protection authority from taking action, and, though not asked, concluded that 2000/520/EC is invalid because it does not sufficiently protect personal data transferred from the EU to the U.S.
While Schrems’ complaint concerned his use of Facebook, AG Bot’s decision makes clear that Facebook’s policies themselves do not violate the agreement; rather, the requirement that Facebook share data in order to comply with U.S. legislation is the core problem.
The opinion discusses a wide range of U.S. practices, policies, and laws which in AG Bot’s opinion do not provide the amount of protection for EU citizens’ data as is required by the Safe Harbor agreement. Among the problems, the “United States rules on the protection of privacy may be applied differently to United States citizens and to foreign citizens.” Additionally, “the [FISC] does not offer an effective judicial remedy to citizens of the [European] Union whose personal data is transferred to the United States.” AG Bot’s opinion is also based on his perception of the NSA’s PRISM program, “under which it obtained unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the internet and technology field.” In sum, AG Bot finds that “the safe harbour scheme… cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme.”
Invalidation of the agreement would have serious practical consequences for transfers of data to U.S. entities that participate in the Safe Harbor program. Some observers predict a demise of the program. The ECJ’s final decision is expected on Tuesday, October 6, 2015.
The case is C-362/14, Maximilian Schrems v Data Protection Commissioner.