Data Protection Report - Norton Rose Fulbright

On September 22, 2015,  the European Court of Justice (“ECJ”) Advocate General issued an advisory Opinion in Case C-362/14 (the “Schrems” case). A key recommendation was for the ECJ to declare the EU/US Safe Harbor Agreement invalid. It remains to be seen whether the ECJ will follow this recommendation. The controversial nature of the Safe Harbor recommendation makes predicting whether the ECJ will follow the Opinion virtually impossible. A possible mitigation of the massive impact on trans-Atlantic trade such a finding would have may be that any invalidity that the ECJ identifies in its ultimate decision is met by the revisions to the Safe Harbor framework that is currently being negotiated. It is likely that the Opinion will encourage the European Commission to harden its stance in the ongoing negotiations with the US, or to delay concluding those negotiations until the ECJ issues a decision in Schrems, so as not to put the updated Safe Harbor Agreement at odds with such a decision.

Background

The Schrems case was initiated by Maximillian Schrems, an Austrian citizen who challenged Facebook’s transfer of his personal data to the US from Ireland under the Safe Harbor Agreement on the basis of allegations – raised by Edward Snowden – of widespread surveillance by US intelligence agencies.

Schrems claimed in the Irish courts (where Facebook is established in the EU) that US laws and practices offer no real protection of personal  data stored in the US against state surveillance.  In particular, Schrems claimed that the US National Security Agency (“NSA”) through the PRISM program obtained unrestricted access to data stored on US-based servers owned and controlled by a number of Internet companies, including Facebook.

Initially, Schrems complained to the Irish Data Protection Commissioner (“DPC”). The DPC refused to investigate the complaint on the basis that it was bound to allow the transfer under a European Commission decision that holds that personal data transferred under the EU/US Safe Harbor regime is adequately protected (Decision 2000/520/EC of 26 July 2000) (“Commission Decision”). Schrems subsequently commenced proceedings in the Irish High Court against the DPC for its refusal to investigate and suspend the data flows. The Irish High Court stayed the proceedings and submitted two questions to the ECJ for preliminary ruling:

First, whether the DPC, in the course of investigating and ruling on a complaint it receives alleging that personal data is being transferred to a third country the laws and practices of which are alleged not to provide for adequate protections for the individual’s personal data, the DPC is absolutely bound by the Commission Decision that the third country’s protections are adequate;

Second, whether the DPC could – or is under an obligation to – conduct its own investigation of the matter in the light of factual developments that have occurred after the Commission Decision was first published.

Advocate General’s Opinion

To the surprise of many, the Opinion recommended the ECJ rule that:

  • An EU data protection authority has the power to:
    1. make its own determination of adequacy, regardless of whether a Commission decision has ruled that the general level of data protection in that country (i.e., in the US for entities certified under to the EU/US Safe Harbor framework) is adequate; and
    2. suspend data flows to such country if the data protection authority determines that the protections are inadequate.

We do not view this as a recommendation to automatically invalidate Commission decisions; rather, the recommendation allows data protection authorities the independence to suspend a transfer where new facts mean the Commission decision is no longer protecting the individual’s fundamental data protection rights in that third country. Note, however, that this is by no means a clear test.

  • The Commission Decision (authorizing the Safe Harbor) should be declared invalid and be suspended on the basis of the Advocate General’s view that:
    1. in the wake of the Edward Snowden revelations, data transferred to the US “is capable of being accessed by US security agencies in the course of mass and indiscriminate surveillance and interception of such data” (which is more than is strictly necessary for national security and law enforcement purposes);
    2. EU citizens have no effective right to be heard in relation to such surveillance (particularly as the surveillance is often secret and the FTC cannot challenge the US security agencies’ activities); and
    3. The Commission Decision does not contain sufficient guarantees to safeguard EU citizens fundamental data protection rights. The Opinion also notes that, if the Commission is negotiating reform of the Safe Harbor regime, the implication must be that the existing Commission Decision may no longer provide adequate safeguards.

Our Take

First, we note that the Advocate General’s Opinion is a non-binding recommendation.  No decision or ruling will be made until the ECJ has made its own decision (which is likely to take a few months, though no date has been set). The following potential consequences would only arise if the ECJ makes a ruling that follows the Opinion . In the meantime, transfers under the Safe Harbor Agreement appear to remain compliant. As we noted above, whether the ECJ will follow the Advocate General recommendation to invalidate the Safe Harbor Agreement remains in significant doubt.

The Opinion (if it were to be followed by the ECJ) would lead to a number of significant consequences for businesses operating on both sides of the Atlantic:

First, the ECJ could ultimately decide that the Safe Harbor Agreement was invalid. If that happens, data flows for which the Safe Harbor establishes a legal basis could be suspended.

Second, the European Commission is reportedly close to concluding negotiations with the US in order to update the Safe Harbor Agreement following its 13 recommendations for improvement (set out in its Communication of  27 November 2013). In this regard, the Opinion may lead the Commission to harden its stance on these negotiations or to delay concluding those negotiations until the ECJ provides a decision in this case, so as not to put the updated Safe Harbor Agreement at odds with such a decision.

Third, the reasoning in the Opinion could also call into question the validity of transfers under other Commission-approved mechanisms, such as EU model clauses, as a US importer’s ability to resist the unrestricted access to mass data complained of in the Schrems case would be no greater if EU model clauses were used in place of the Safe Harbor scheme.

Finally, the Opinion suggests that, in certain extreme circumstances, individual data protection authorities can suspend data transfers that fall under existing Commission decisions, following their own assessment. Given the economic impact of any such suspension and the uncertainty that it would create, it must be hoped that data protection authorities would wait for an ECJ decision before undertaking any such suspension (and even then,  exercise this power sparingly). Note that the Opinion does not make any relative assessment as to whether similar surveillance activities are undertaken within EU member states or of the safeguards applicable to such activities (which would have informed its assessment of the proportionality of the US position more objectively).

Get More Information at our EU/US Safe Harbor breakfast briefing in our London office on – November 3, 2015 at 9 am

We are hosting a breakfast briefing in our London office on what compliance with the EU/US safe harbor regime requires in practice and the current attitudes of European regulators to its use on November 3, 2015 at 9 am.

The briefing will be led by Boris Segalis (US co-chair of Norton Rose Fulbright’s data protection practice group) and Marcus Evans (European chair). If you would like to attend please click here to register.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.