We will be following up our post last week regarding the latest US-EU Safe Harbor decision out of Europe with further analysis both from the Mintz Privacy team and our international network of privacy specialists. Our friends at TaylorWessing have graciously allowed us to repost their view here.
Is this the end of Safe Harbor?
What's the issue?
EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. One of the ways certain US organisations can demonstrate an adequate level of protection is by signing up to the Safe Harbor principles, a self-certification standard operated by the US Department of Commerce and enforced by the FTC.
In light of the Snowden revelations about mass surveillance of EU personal data, an Austrian individual filed a complaint against Facebook Ireland objecting to the fact that its servers are located in the USA on the basis that the USA offers no real protection of EU citizen data against State surveillance.
The Irish Data Protection Commissioner considered he was not required to investigate the complaint because Decision 2000/520 of the European Commission which, in essence, validates Safe Harbor, was binding and precluded him from doing so. The Commissioner's decision was referred for Judicial Review to the High Court which stayed proceedings and asked the Court of Justice of the European Union (CJEU) to rule on whether, in the light of EU law, the Irish Data Protection Commissioner was absolutely bound by Decision 2000/520.
What's the development?
Advocate General Bot (AG) has issued a non-binding Opinion recommending that the CJEU make the following findings:
that EU law must be interpreted as meaning that Decision 2000/520 does not have the effect of preventing an EU national regulator from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data; and
Commission Decision 2000/520 on the adequacy of the protection provided by the Safe Harbor privacy principles is invalid.
Advocate Generals are appointed by the CJEU to provide non-binding Opinions analysing the issues and making recommendations to the CJEU for the ultimate, and much more important, binding ruling.
What does this mean for you?
If you export personal data to a US entity signed up to Safe Harbor or if your organisation is signed up to Safe Harbor, this Opinion puts the legal foundation for the transfer of such personal data from the EU to the USA under serious question. Having said that, AG decisions are not binding and the recent controversial Google Spain judgment is a good example of the final judgment diverging significantly from the preceding AG Opinion.
The Safe Harbor Principles have been under review for some time and the USA is working with the EU to ensure they are mutually satisfactory. In addition, the EU is working on a new data protection law which might also have an impact on the export of data from the EU to the USA. To date, the EU has stopped short of suspension of Safe Harbor but if the CJEU rules along the lines of the Opinion before revised principles or a new EU law have been finalised, then Safe Harbor may effectively be suspended.
It is not yet time to panic, but organisations for whom the transfer of personal data between the EU and USA is of great importance might begin to consider whether other grounds for transfer are available. These may include signing up to the EU approved model transfer contract clauses or complying with one of the Schedule 4 conditions in the Data Protection Act 1998 (which include obtaining the consent of the data subject).
Additional reading from both here and across the pond:
Karlin Lillington, Irish Times: Facebook Case Has Huge Implications for US-EU Business
Washington Post Blog: Facebook is at center of huge privacy controversy. For once, it isn't Facebook's fault