European Court of Justice strikes down U.S.-EU data transfer agreement

Editor’s Note: The European Court of Justice (ECJ) issued a ruling on October 6 that

struck down the U.S.-EU Safe Harbor Agreement

, which established a set of privacy protection rules for companies that transfer customer data between European Union and the United States. The following blog post analyzes an earlier decision by the Advocate General that led to the ECJ ruling; the post originally appeared on Sidley Austin LLP’s

Data Matters blog

.

In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.

The Max Schrems case concerns the Irish Data Protection Commissioner’s decision not to investigate a complaint made by Schrems regarding the storage by Facebook of its EU subscribers’ data on servers in the U.S. More broadly, the case questions the adequacy of the U.S.-EU Safe Harbor scheme. In his 23 September 2015 opinion, the Advocate General determined that national data protection authorities are not prevented from investigating and reaching an independent decision from the European Commission decision underlying Safe Harbor. As such, the Irish Data Protection Commissioner had no legitimate basis to refuse to investigate the complaint made by Max Schrems.

The Advocate General went on to advise that Safe Harbor does not satisfy the requirements of either the EU Charter of Fundamental Rights or the EU Data Protection Directive because “the access enjoyed by the United States intelligence services is mass, indiscriminate surveillance.”

The Advocate General considered that the finding of adequacy by the European Commission in connection with Safe Harbor should be declared invalid since the existence of a derogation (which allows the principles of the Safe Harbor scheme to be disregarded for national security reasons) prevents Safe Harbor from ensuring an adequate level of protection for the personal data which is transferred from the EU to the U.S. In addition, in the view of the Advocate General, there is no U.S. independent authority capable of verifying that the implementation of the derogations from Safe Harbor by, for example, U.S. security agencies is necessary because neither the FTC nor any private dispute resolution body has the power to monitor such possible breaches.

“There is not necessarily a logical or empirical connection between corporate data transfers under the Safe Harbor and U.S. government data collection efforts.”

While the EU’s assessment of the Safe Harbor has unquestionably become enmeshed with concerns over U.S. intelligence surveillance, there is not necessarily a logical or empirical connection between corporate data transfers under the Safe Harbor, and U.S. government data collection efforts—any more than there would be with regard to Standard Contractual Clauses or Binding Corporate Rules. The Advocate General opinion paints U.S. intelligence collection with a very broad brush that appears to blend together the contents of press reports from the Snowden leaks with information on the recently-ended U.S. domestic bulk metadata collection program along with collection of Internet communications of non-U.S. citizens. Given the broad authorities for European intelligence collection with no oversight by data protection authorities, it is difficult to understand why the derogation for national security reasons in the Safe Harbor agreement is less protective of the rights of EU citizens than the equivalent derogation in the 1995 Privacy Directive. It should also be noted that common carriers in the U.S.—such as the leading telecommunications companies—are not eligible for and do not participate in the Safe Harbor.

Given that the opinion is not legally binding and will now need to be decided by the 15 judges of the ECJ, a key question to ask is to what extent the “defects” in the Safe Harbor scheme identified by the Advocate General can be addressed in ongoing discussions between the U.S. government and the European Commission. The Advocate General took note of these negotiations “to put an end to the shortcomings found.” The Commission and the U.S. Department of Commerce have been close to an agreement, which includes measures to acknowledge boundaries on U.S. government access to data on EU citizens, and the U.S. Congress is considering the Judicial Redress Act to extend rights under the Privacy Act to certain foreign citizens. The approval of a new Safe Harbor agreement and passage of this legislation could address concerns raised in the Advocate General opinion.

Nonetheless, this recommendation, if upheld by the European Court of Justice, would have a significant impact on many businesses currently relying on Safe Harbor to legitimize transfers of personal data from the EU to the U.S. Such businesses may wish to reconsider their choice of international data transfer solutions and whether to adopt alternative solutions, such as Binding Corporate Rules or EU standard contractual clauses.