In a landmark decision that threatens to undo the process by which American companies handle personal data flowing from the European Union, the Advocate General (AG) of the European Court of Justice (ECJ) issued an advisory opinion last week holding that the Safe Harbor Framework does not provide adequate protection to personal data and should therefore be declared invalid. The Safe Harbor Framework, which has been in existence since 2000, currently allows more than 4,000 U.S. companies to receive personal data transferred from the EU.
The EU Data Protection Directive 95/46/EC prohibits personal data from being transferred to a country outside the EU unless the transferee country provides an “adequate level of protection” to that data. Due in part to the U.S. sectoral approach to privacy protection, and to the emphasis on voluntary self-regulation, the U.S. has not been recognized as providing such adequate protection. In order to facilitate the transfers of large amounts of personal data from the EU to the United States which occur on a daily basis, the European Commission (the Commission), in conjunction with the U.S. Department of Commerce, formulated the Safe Harbor Framework.
Pursuant to this Framework, companies must comply with a number of principles to protect personal data including notice, choice, onward transfer, security, data integrity, access and enforcement and self-certify to that effect. In its decision 2000/520 (the Adequacy Decision) the Commission held that transfers of personal data from the EU to U.S. companies that are Safe Harbor-certified provide adequate protection and are therefore permissible under the Data Protection Directive.
In June 2013, Austrian national Max Schrems filed a complaint with Ireland’s Data Protection Commissioner claiming that Facebook Ireland Ltd.’s transfer of European users’ personal data to Facebook’s servers in the U.S. infringes upon the privacy rights of European users. Per Schrems, the National Security Agency’s (NSA) unrestricted access to mass data stored on the Facebook servers under the PRISM surveillance program disclosed by Edward Snowden, offers no real protection of personal data against U.S. government surveillance. Notably, all of the companies revealed to be involved in the PRISM program were Safe Harbor-certified.
The Irish Commissioner dismissed Mr. Schrems’ complaint, deferring to the Commission’s Adequacy Decision. On judicial review of the Commissioner’s decision, High Court of Ireland noted that NSA and U.S. agencies can access personal data in the course of “mass and indiscriminate surveillance and interception” and that this may present an issue under Irish law as to whether the U.S. ensures an adequate level of protection for personal data transferred from EU. However, the Court held, the Commission’s Adequacy Decision prevents the Commissioner from investigating this. The case is now pending before the ECJ, which is scheduled to render its decision on October 6, 2015.
The AG said that European national data protection authorities, such as the Irish Commissioner, may investigate complaints with regard to the level of protection to personal data awarded by a third country, and even suspend specific transfers of data to such countries, despite the existence of the Commission Adequacy Decision. Further, the AG opined that the Adequacy Decision must be declared invalid.
The AG also took issue with the Safe Harbor Framework, finding that the Framework allows a large-scale collection and transfer of personal data of EU citizens to the U.S. which is subject to mass surveillance by U.S. intelligence services and thus does not provide effective judicial protection of the nature required by the European Data Protection Directive and by the European Charter of Fundamental Rights. In order to be effective, the Framework must include adequate guarantees and sufficient control mechanisms, including regulatory oversight. Per the AG, neither the Federal Trade Commission (FTC) with its emphasis on fair and trustworthy commerce for consumers, nor special dispute resolution bodies such as TRUSTe and BBBOnline, have the power to monitor possible breaches of principles for the protection of personal data by public actors such as U.S. security agencies and such power is essential to ensure sufficient protection.
While the AG’s opinion is not binding on the ECJ it is generally deemed persuasive. If the ECJ affirms the AG’s opinion invalidating the Safe Harbor Framework, thousands of U.S. companies will need to immediately consider alternative solutions for transferring personal data from the EU, such as relying on consent from the individuals to the transfer or instituting intra-company data transfer agreements or Binding Corporate Rules. Even if the Safe Harbor Framework is not invalidated, it may be amended to require closer scrutiny and regulatory enforcement. Alternatively, the national data protection authorities may be granted the authority to investigate or suspend individual transfers of data. This will likely lead to an inconsistent implementation by the different authorities and may result in uncertainty for companies.
In light of these potentially momentous changes, companies engaging in transfers of personal data transfers would do well to reexamine and map their data flows from the EU to the U.S. and reassess their compliance with the Safe Harbor Principles and whether any adjustments should be made.
