Thousands of U.S. and European companies who rely on the EU–US Safe Harbor Framework to permit the transfer of personal data from the EU to the U.S., have come a step closer to seeing the transfer mechanism struck down.
Today, Europe's Advocate General Yves Bot (a top advisor to the European Court of Justice) released his long awaited opinion on the EU–US Safe Harbor Framework, in which he says that the European Commission decision, which permits European organisations to send personal data to the U.S. under the framework, is invalid.
Under EU privacy law, the transfer of personal data to a country outside the European Economic Area can in general only take place if the destination country ensures an "adequate" level of data protection. The European Commission's decision of 2000 in respect of the Safe Harbor Framework allows certain organisations in the U.S. (particularly those in the tech sector) to self-certify their compliance with European privacy principles that the Commission considered demonstrated an adequate level of protection for personal data, including elements such as notice, choice, onward transfer, data security, data integrity and dispute resolution processes.
In recent years, however, Safe Harbor has been heavily criticised by both data protection regulators and privacy advocates for not providing sufficient protection for personal data. The Commission itself has also entered negotiations with the US to strengthen the protections afforded by the framework.
The Advocat General's opinion follows the case launched by Austrian citizen Maximillian Schrems against the Irish Data Protection Commissioner and centres on the Edward Snowden revelations concerning the surveillance activities of the U.S. intelligence services.
Schrems lodged a complaint with the Irish data protection regulator taking the view that (in relation to certain transfers of personal data from Ireland to the U.S.) in light of the Snowden revelations, the law and practices of the U.S. government offered no real protection for personal data. After the Irish regulator rejected the complaint (on the grounds that under the Commission's Safe Harbor decision the U.S. offer an adequate level of protection), Schrems took his claim to the Irish courts. The case was then referred by Ireland to the European Court of Justice. The Advocate General's opinion will be considered by the Court of Justice when making its final decisions.
In his opinion, the Advocate General expresses two main views:
The Advocate General's opinion is not binding on the Court of Justice but is often seen as highly persuasive. We await a date for the court's final decision which could leave: (i) many organisations needing to rapidly implement new data transfer solutions; and (ii) a patch work approach to Safe Harbor across the EU where, depending on the views of the relevant member state data protection regulator, some member states continue to recognise the framework and others do not.
Of immediate note for U.S. and European companies is to update their mappings of cross-border data flows between these regions, and to begin considering the costs/benefits of alternative methods that may provide more predictable and stable ways to transfer data. In performing this assessment, there are three important issues to remember: