The Advocate General of the Court of Justice of the EU (CJEU) has published his opinion on the Schrems vs. Irish Data Protection Commissioner case which, if followed by the CJEU, will not only have consequences for the 4,500 companies that rely on the safe harbour scheme, to transfer personal data between Europe and the US, but it will also disrupt the activities of those businesses that rely on such companies. The flow of personal data across the Atlantic is crucial to the UK's digital economy and the CJEU now finds itself at the centre of a highly political issue.
It is important to note that this opinion is not binding but, the Advocate General is an influential individual and the CJEU normally follows his opinion.
Why is the CJEU examining safe harbour?
Edward Snowden's revelations about the mass surveillance of personal data, by US intelligence services, was the trigger for the Schrems case. Following Snowden's revelations Max Schrems, an Austrian law student who has repeatedly challenged Facebook's data protection practices in Europe, took action against the Irish data protection regulator. Mr Schrems complained that the law and practices of the US offer no real protection against the surveillance of personal data transferred to the US and the Irish regulator had a duty to safeguard his privacy (Facebook's European headquarters is in Dublin). The Irish regulator rejected his complaint on the basis that the US ensures an adequate level of protection, through the safe harbour scheme.
The Irish High Court has asked the CJEU to ascertain whether the safe harbour scheme prevents the Irish regulator from investigating a complaint alleging that the US does not ensure an adequate level of protection, and where appropriate, from suspending the transfer of the relevant data.
The Advocate General's Opinion
The Advocate General's opinion contains recommendations that go beyond the question referred to the CJEU by the Irish High Court. The Advocate General acknowledges that national regulators are bound by the Commission decision which established safe harbour, however he stated that such a binding effect cannot require complaints to be rejected by a regulator without examination. In addition to this, the Advocate General is of the view that Member States must be able to take steps to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU.
Having addressed the questions asked by the Irish High Court, the Advocate General went further and expressed an opinion that the Commission decision itself, which established the safe harbour scheme, is invalid. The fact that the law and practice of the US allow large scale collection and access of the personal data of European citizens, without such citizens benefiting from effective judicial protection, demonstrate that the safe harbour scheme does not contain sufficient guarantees. As a consequence the Advocate General believes the safe harbour scheme has been implemented in a manner which doesn't satisfy the European Data Protection Directive and is contrary to the Charter of Fundamental Rights of the EU .
The Advocate General also cited the recent negotiations between the Commission and the US, about reforming the safe harbour scheme, as evidence that even the Commission considers that the safe harbour scheme is no longer adequate following the Snowden revelations.
The ability to transfer personal data outside of the EEA is important to ensure that European technology companies remain competitive globally. Antony Walker, Deputy CEO of techUK commenting on the Advocate General's opinion, said: "Disruption to international data flows could hurt the UK's digital economy. The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data driven companies in the UK and right across Europe".
It is clear that there is an issue with safe harbour, it has long been regarded in Europe as a rather toothless scheme and the European Parliament did call for its suspension some 18 months ago. This opinion is likely to complicate the on-going negotiations between the US and Europe, emphasising the need to include greater legal safe guards in any new safe harbour scheme. There is a need for greater accountability and a means by which the rights of European citizens are protected from breaches of the European data protection principles in jurisdictions outside of the EEA.
It is important to remember that safe harbour is not the only means by which organisations can justify transfers of personal data to the US. Binding corporate rules and model clauses can also be used to ensure adequate protection of personal data being exported to the US.
In light of this opinion, and the increased penalties and obligations and that the new European General Data Protection Regulation will introduce, organisations should start reviewing their international data transfer practices to consider what they will need to do if the safe harbour scheme is found to be invalid by the CJEU. It is important to remember that most of the cloud providers rely on the safe harbour scheme to provide some of their services, as a consequence a large number of organisations may be indirectly affected.