Privacy Monday, September 28, 2015: More on US-EU Safe Harbor — what’s next?

Mintz - Privacy & Cybersecurity Viewpoints
Contact

We will be following up our post last week regarding the latest US-EU Safe Harbor decision out of Europe with further analysis both from the Mintz Privacy team and our international network of privacy specialists. Our friends at TaylorWessing have graciously allowed us to repost their view here.  

Is this the end of Safe Harbor?

What’s the issue?

EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. One of the ways certain US organisations can demonstrate an adequate level of protection is by signing up to the Safe Harbor principles, a self-certification standard operated by the US Department of Commerce and enforced by the FTC.

In light of the Snowden revelations about mass surveillance of EU personal data, an Austrian individual filed a complaint against Facebook Ireland objecting to the fact that its servers are located in the USA on the basis that the USA offers no real protection of EU citizen data against State surveillance.

The Irish Data Protection Commissioner considered he was not required to investigate the complaint because Decision 2000/520 of the European Commission which, in essence, validates Safe Harbor, was binding and precluded him from doing so. The Commissioner’s decision was referred for Judicial Review to the High Court which stayed proceedings and asked the Court of Justice of the European Union (CJEU) to rule on whether, in the light of EU law, the Irish Data Protection Commissioner was absolutely bound by Decision 2000/520.

What’s the development?

Advocate General Bot (AG) has issued a non-binding Opinion recommending that the CJEU make the following findings:

that EU law must be interpreted as meaning that Decision 2000/520 does not have the effect of preventing an EU national regulator from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data; and 

Commission Decision 2000/520 on the adequacy of the protection provided by the Safe Harbor privacy principles is invalid.

Advocate Generals are appointed by the CJEU to provide non-binding Opinions analysing the issues and making recommendations to the CJEU for the ultimate, and much more important, binding ruling.

What does this mean for you?

If you export personal data to a US entity signed up to Safe Harbor or if your organisation is signed up to Safe Harbor, this Opinion puts the legal foundation for the transfer of such personal data from the EU to the USA under serious question. Having said that, AG decisions are not binding and the recent controversial Google Spain judgment is a good example of the final judgment diverging significantly from the preceding AG Opinion.

The Safe Harbor Principles have been under review for some time and the USA is working with the EU to ensure they are mutually satisfactory. In addition, the EU is working on a new data protection law which might also have an impact on the export of data from the EU to the USA. To date, the EU has stopped short of suspension of Safe Harbor but if the CJEU rules along the lines of the Opinion before revised principles or a new EU law have been finalised, then Safe Harbor may effectively be suspended.

It is not yet time to panic, but organisations for whom the transfer of personal data between the EU and USA is of great importance might begin to consider whether other grounds for transfer are available. These may include signing up to the EU approved model transfer contract clauses or complying with one of the Schedule 4 conditions in the Data Protection Act 1998 (which include obtaining the consent of the data subject).

Additional reading from both here and across the pond:

Karlin Lillington, Irish Times:  Facebook Case Has Huge Implications for US-EU Business

Washington Post Blog:  Facebook is at center of huge privacy controversy.  For once, it isn’t Facebook’s fault

The Guardian:  Facebook case may force European firms to change data storage practices

Diginomica: Europe’s Safe Harbor ruling makes life less safe for the US cloud industry

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.