Dark clouds over Safe Harbor
Privacy lawyer Nina Marot reports on the latest Advocate General opinion on Safe Harbor and its potential effect on the EU-US data protection transfers agreement.
We reported about a year ago about an Ireland’s data protection case, in which an Austrian data protection activist Max Schrems challenged the Irish Data Protection Authority (DPA) to review how Facebook Ireland handles his personal data, in particular the transfer of personal data to the US.
The Irish DPA claimed that as Facebook is Safe Harbor certified, the DPA is bound by the European Commission (Commission) decision on Safe Harbor. During the proceedings, the judge has asked the Court of Justice of the European Union (CJEU) if national DPAs may conduct an independent evaluation of a third country’s level of data protection although the Commission has evaluated this third country as adequate. A few days ago, the Advocate General published his Opinion on the Case C-326/14.
In his analysis, the Advocate General emphasized the investigative powers and independence of national DPAs. He is of opinion that although the Commission accepted a decision on Safe Harbor, this decision should not limit a national DPA to investigate complaints challenging data processing practices of an adequate country. Further, the Advocate General analyzed the validity of Safe Harbor and concluded that it must be “declared invalid since, owing to the breaches of fundamental rights […], the safe harbor scheme […] cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme.”
Since the introduction of Safe Harbor scheme, the DPAs seemed to be under an impression, that they do not (need to) investigate the adequacy of data protection safeguards in the US. The CJEU adoption of the Advocate General opinion could (a) declare Safe Harbor invalid and/or (b) inform national DPAs on their ability to independently review if the US ensures sufficient protection of personal data. Such independent investigative actions may lead to different conclusions among the DPAs. If a DPA considers US as inadequate territory, they may block data transfer that is based on Safe Harbor. It will be on national DPAs to decide if an EU Member State will allow Safe Harbor based data transfers or not. As there are 28 national DPAs in the EU, some countries may end up being excluded from Safe Harbor, which may further fragment the EU data protection regime.
Although the date of the judgment’s delivery is yet unknown, some predictions foresee that the CJEU will rule before the end of this year. If the CJEU follows the Advocate General opinion, a substantial amount of companies that rely their data transfer practices on Safe Harbor will have to consider alternative solutions, such as Binding Corporate Rules (BCR) or Standard Contractual Clauses. Both alternatives have pros and cons, however, compared to Safe Harbor, both are costlier for companies to adopt and require more time to be put in place. Aphaia has reviewed Safe Harbor alternatives in past blog posts and white papers.
It is important to note that the Commission is aware of the weaknesses in Safe Harbor, thus they try to negotiate a new, stronger Safe Harbor with the US since the end of 2013. Despite substantial negotiations, the parties have not yet reached an agreement. However, it is still possible that new Safe Harbor is negotiated before the CJEU issues its judgment.
Opinion of Advocate General of September 23, 2015 is available here.