On 18 June 2014 an Irish High Court Judge referred a question to the Court of Justice of the European Union (CJEU) and asked for a ruling that would take into consideration the Commission adequacy decision on data transfers to the USA (Safe Harbor).
In particular, the CJEU was asked to determinate whether a national data protection authority has to blindly follow the Commission’s Decision (Safe Harbor). If this is not the case, is such authority able to carry out its own review of a third country’s level of data protection.
The problem of new technology
The question of appropriateness of Safe Harbor has been floating across the EU for a while. A recent obstacle to this 14 year old Commission’s decision is undoubtedly the aforementioned referral of the Irish Judge to the CJEU, which will also evaluate the issue in the light of technological evolution. Furthermore, new technology, such as the social networking site Facebook, is also the reason for the complaint.
Austrian student Max Schrems, one of the candidates for a new Irish DPA, has been trying to fight Facebook’s way of data processing for a quite a while.
The current complaint (23rd in a row) was triggered by last year’s Snowden revelations regarding the NSA PRISM program. In his complaint to the Irish DPA, Schrems expressed his concern about his personal data being transferred to the US by Facebook Ireland. As Facebook Ireland (Facebook Inc. Irish subsidiarity) is subject to Irish law, it also falls within the scope of Irish and (and EU) data protection laws.
Seven Safe Harbor principles
Based on the currently enforced European Data Protection Directive, the Commission had enabled an EU – US data flow. “Safe Harbor” is a result of joined forces between the Commission and the US Department of Commerce. In July 2000, they have mutually agreed on seven Safe Harbor principles that need to be respected in order for data flow to be legal. Every US company, such as Facebook Inc., who wishes to transfer data from EU to the US needs to self-evaluate and publicly commit to respect Safe Harbor principles.
Although the enforcement used to be rather weak, lately the Federal Trade Commission has strengthened its investigative activities.
The fact that Facebook Ireland complies with Safe Harbor was also the main argument of the Irish DPA.
The Irish High Court Judge agreed and concluded that the Irish DPA is bound by Safe Harbor and consequently cannot present findings inconsistent with the Commission Decision. On the other hand, the Commission has decided on Safe Harbor 14 years ago, and Snowden’s revelations together with technology developments have meanwhile planted a seed of doubt in the US data protection mechanisms.
Additionally, the Charter of Fundamental Rights of the European Union has now been enforced, which is also not reflected in Safe Harbor. Therefore, a “re-evaluation of how the 1995 Directive and 2000 Decision should be interpreted in practice may be necessary,” according to the Irish Judge.
Restoring trust in EU-US data flows?
Snowden’s revelations of 2013 have not only triggered the case described above.
The Commission has been trying to restore trust in the EU-US data flows. Additionally, the data protection Umbrella Agreement, which would also include the analysis of Safe Harbor, is currently being negotiated.
The European Parliament was also very critical towards the (un)safety of Safe Harbor, as a previous mandate MEP’s claimed that it does not ensure adequate level of protection for EU citizens.
The Parliament has just started a new mandate and new MEPs have not yet expressed themselves regarding this issue.
On the other hand, the Commission Vice-President Viviane Reding (who has resigned as Commissioner and took a seat as a MEP) said that “95% of what could be agreed – has been” agreed on in regard to the Umbrella Agreement. Thus, Safe Harbor may change before the CJEU gets a chance to comment on it.