EU–US Safe Harbor About to be Struck Down?

September.23.2015

Thousands of U.S. and European companies who rely on the EU–US Safe Harbor Framework to permit the transfer of personal data from the EU to the U.S., have come a step closer to seeing the transfer mechanism struck down.

Today, Europe's Advocate General Yves Bot (a top advisor to the European Court of Justice) released his long awaited opinion on the EU–US Safe Harbor Framework, in which he says that the European Commission decision, which permits European organisations to send personal data to the U.S. under the framework, is invalid.

Under EU privacy law, the transfer of personal data to a country outside the European Economic Area can in general only take place if the destination country ensures an "adequate" level of data protection. The European Commission's decision of 2000 in respect of the Safe Harbor Framework allows certain organisations in the U.S. (particularly those in the tech sector) to self-certify their compliance with European privacy principles that the Commission considered demonstrated an adequate level of protection for personal data, including elements such as notice, choice, onward transfer, data security, data integrity and dispute resolution processes.

In recent years, however, Safe Harbor has been heavily criticised by both data protection regulators and privacy advocates for not providing sufficient protection for personal data. The Commission itself has also entered negotiations with the US to strengthen the protections afforded by the framework.

The Advocat General's opinion follows the case launched by Austrian citizen Maximillian Schrems against the Irish Data Protection Commissioner and centres on the Edward Snowden revelations concerning the surveillance activities of the U.S. intelligence services.

Schrems lodged a complaint with the Irish data protection regulator taking the view that (in relation to certain transfers of personal data from Ireland to the U.S.) in light of the Snowden revelations, the law and practices of the U.S. government offered no real protection for personal data. After the Irish regulator rejected the complaint (on the grounds that under the Commission's Safe Harbor decision the U.S. offer an adequate level of protection), Schrems took his claim to the Irish courts. The case was then referred by Ireland to the European Court of Justice. The Advocate General's opinion will be considered by the Court of Justice when making its final decisions.

In his opinion, the Advocate General expresses two main views:

The existence of the Commission's decision on a Safe Harbor pact with the U.S. does not prevent national data protection regulators in Europe from intervening in and reviewing data transfers. If a member state data protection regulator, for example, considers that a transfer of data undermines the protection of citizens of the EU as regards the processing of their data, it has the power to suspend that transfer, irrespective of the Commission's assessment regarding the legitimacy of the Safe Harbor program. (In March, we published an alert on two German Supervisory Authorities that threatened to suspend data transfers based on the US Safe Harbor Program.)
The Commission decision that finds the Safe Harbor to be an adequate mechanism for data transfer is invalid. His views being influenced by the lack of protection afforded to EU citizens in the face of large-scale collection, access and allegedly indiscriminate surveillance of personal data by the U.S. intelligence services.

The Advocate General's opinion is not binding on the Court of Justice but is often seen as highly persuasive. We await a date for the court's final decision which could leave: (i) many organisations needing to rapidly implement new data transfer solutions; and (ii) a patch work approach to Safe Harbor across the EU where, depending on the views of the relevant member state data protection regulator, some member states continue to recognise the framework and others do not.

Of immediate note for U.S. and European companies is to update their mappings of cross-border data flows between these regions, and to begin considering the costs/benefits of alternative methods that may provide more predictable and stable ways to transfer data. In performing this assessment, there are three important issues to remember:

The international data transfers that are subject to EU restrictions include not only the actual "sending" of personal information (for example, via emails), but also the remote accessing or viewing of personal data from the U.S. e.g. via cloud services that maintain servers in the EEA.
The personal data that is subject to the EU data transfer restriction certainly includes consumer and customer data, but also personal data relating to employees, vendors, business partners and other third parties.
The Safe Harbor framework addresses transfers only from the EU into the U.S., and does not cover traffic from the EU to other countries, or data from non-EU countries with transfer restrictions into the EU.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.