Advocate General Yves Bot today delivered an opinion recommending that the European Court of Justice (ECJ) find the U.S.-EU Safe Harbor Program invalid. His opinion, while non-binding, relates to a request for a preliminary ruling referred to the ECJ by the High Court of Ireland, Irish Court in Schrems v. Data Protection Commissioner, (ECJ, No. C362/14, 23 Sept 2015).
In light Edward Snowden’s disclosures of systematic monitoring of communications by the U.S government, Maximillian Schrems, an Austrian citizen, complained to the Irish Data Protection Commissioner. When the Irish Data Protection Authority did not investigate, Schrems brought an action in the Irish courts challenging that decision.
The Advocate General’s Opinion sets out two significant recommendations.
- EU Member States’ national data protection (DPA) authorities must be able to investigate complaints that call into question the level of protection ensured by a third country, such as the United States, and be able to suspend transfers of personal data if the DPA considers the transfer to undermine individuals’ protections.
- Commission Decision 2000/520/EC, which found transfers of personal data to the U.S. under the Safe Harbor Program provided an adequate level of protection for transfers of personal data under Article 26 of the EU Data Protective Directive 95/46/EC, should be declared invalid as Safe Harbour cannot ensure an adequate level of protection.
The Advocate General’s opinion was based on several factors:
- Data transferred to the U.S. is capable of being accessed by the National Security Administration (NSA) and other U.S. security agencies described as a “mass and indiscriminate surveillance and interception” that compromises the right to privacy under Article 7 of the Charter of Fundamental Rights of the European Union (the “Charter”)
- European citizens have “no appropriate remedy against the processing of their personal data for purposes other than those for which it was initially collected and then transferred to the U.S.,” in breaching Article 47 of the Charter, which provides for right to an effective remedy and fair trial
- Generally worded derogations potentially allow all safe harbor principles to be misapplied, by not limiting data to what is strictly necessary and thus compromising “the fundamental right to protection of personal data” under Article 8 of the Charter
The ECJ tends to follow the recommendations of the Advocates General, although there are a few instances where the court has not followed an Advocate General’s opinion. A ruling by the ECJ should be forthcoming in the next couple of months.
If the ECJ finds the European Commission Decision invalid, that will have an immediate effect. Presumably, DPAs will allow a grace period so that organisations that have certified to safe harbor can legitimise data transfers via another method, such as binding corporate rules or use of the standard contractual clauses.
The implications of this opinion, if followed by the ECJ when rendering its decision, are immense. There are more than 3,000 U.S. companies that have self-certified to the U.S.-EU Safe Harbor Program. In addition, most companies will use vendors and suppliers that have self-certified to Safe Harbor, even if those companies are not Safe Harbor themselves. There may also be an impact on trade between the European Union and the U.S. The U.S., however, has the potential to change the outcome of any ECJ decision by enacting the Judicial Redress Act, a bill pending before the U.S. Congress, which would give EU citizens standing in U.S. courts to challenge disclosures of their personal data to various U.S. governmental authorities on a similar basis that U.S. citizens currently enjoy. That act was part of a wider umbrella agreement between the U.S. and EU and could affect the outcome of the ECJ’s ruling.