What has happened?
The discussions between the EU and the U.S. on the Safe Harbor mechanism seemed to be almost there, but this morning the EU Court of Justice’s Advocate General Yves Bot has set the cat among the pigeons in his Opinion on the Max Schrems case about Facebook.
What is the case about?
The case was brought by Max Schrems who didn’t like the fact that data about him on Facebook is transferred by the Irish Facebook subsidiary to its U.S. servers. Following the Snowden revelations in 2013 (concerning the activities of U.S. intelligence services), Mr Schrems lodged a complaint arguing that U.S. law does not offer sufficient protection. The Irish authority had rejected the complaint on the grounds that the Commission have declared that under the Safe Harbor scheme the U.S. ensures an adequate level of protection. The matter moved to the Irish High Court which has asked the CJEU if, notwithstanding a Commission decision of adequacy, a national data protection authority can investigate and, if necessary, suspend transfer of personal data.
The AG’s Opinion said:
1. A decision by the EU Commission that measures to protect personal data in a non-European country are “adequate” (such as Safe Harbor) does not overrule the powers of national DPAs to restrict foreign transfers
2. Member States must be able to safeguard fundamental rights under the EU Charter of Fundamental Rights – mass, indiscriminate access by U.S. intelligence services is contrary to this as it is not proportionate
3. The Commission’s decision that Safe Harbor provides adequate protection is invalid – the Commission should have suspended it when it identified the shortcomings currently being negotiated with the U.S.
What does this Opinion mean?
An Advocate General’s opinion is not binding, but it is influential in the majority of cases (in a recent employment case AG Bot’s opinion was closely followed). The Commission argues it is not appropriate for national authorities to ignore their decisions on the basis of abstract worries (this would encroach on the Commission's ability to negotiate with the U.S.), so there will be powerful voices against AG Bot's view. We also anticipate that this Opinion is likely to stiffen the resolve of the EU negotiators of the revised Safe Harbor regime, and give encouragement to the more outspoken national DPAs who have recently challenged Safe Harbor.
The final ruling by the CJEU is not expected until later this year.
How will this affect businesses?
The immediate impact on most companies exporting data from the EU to the U.S. should not be overstated. In our experience, Safe Harbor is not typically used as the sole means of legitimising cross-border transfers, so this emphasises the importance of putting in place a robust privacy programme, including agreements with U.S. service providers that incorporate model clauses.
However it will, at least until the CJEU makes its decision, create an element of uncertainty for those businesses in the U.S. who rely solely on Safe Harbor to import data in connection with provision of services to customers in the EU.
The text of the Opinion is available here.
Max Schrems has published a response.