Yesterday morning’s preliminary opinion from the Advocate General in a European Court of Justice (ECJ) case challenging the lawfulness of Facebook’s data transfers from Ireland to the United States has received substantial media coverage. The ECJ’s press release can be found here.
In short, the Advocate General has said that the Safe Harbor scheme approved by the EU Commission does not comply with EU laws as it does not esnure an adequate level of protection for personal data.
What is Safe Harbor?
Safe Harbor is a self certification scheme operated by the Federal Trade Commission (and approved by the European Commission) that enables US companies to state that they will safeguard personal data to a standard that is consistent with the requirements of EU data protection law. Transfers of personal data to an entity that is Safe Harbor certified will not breach the general restrictions on transfers of personal data outside the EEA (the eighth data protection principle), as the EU Commission considers that Safe Harbor provides adequate safeguards.
Many businesses use Safe Harbor as a basis for ensuring that data transfers from the EU to US entities comply with EU data protection laws. Using Safe Harbor is attractive because it avoids the need to put in place a contract using the EU’s model clauses or take other steps to comply with the eighth principle. Each data controller simply relies upon the EU Commission’s general finding of adequacy in relation to the Safe Harbor scheme.
The Safe Harbor scheme is currently being reviewed by the US and the EU, as a result of concerns over its effectiveness. Indeed, the rules on international data transfers as a whole are currently being reviewed as part of the EU’s ongoing (never ending?) negotiations in relation to a new EU data protection regulation.
If the ECJ follows the Advocate General’s preliminary opinion (and whilst common, that is by no means certain), the legal basis on which businesses transfer data outside the EEA will be undermined.
That will impact not just intra-group transfers in relation to the likes of Facebook and other consumer facing businesses, but also outsourcing arrangements for services such as data centres, call centres and software development, where transfers are justified on the basis of the US entity’s Safe Harbor certification.
Why does the Advocate General consider that Safe Harbor is unlawful?
The Advocate General’s concern centres on the level of access enjoyed by United States intelligence services to EU personal data that has been transferred to the United States and the lack of an effective remedy for EU citizens in relation to unlawful processing.
According to the Advocate General, the Safe Harbor scheme approved by the EU Commission does not adequately protect personal data from such access:
The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data.
How might this impact on other data transfers to the US and elsewhere?
What is striking about the Advocate General’s opinion is that it does not just attack Safe Harbor as a mechanism for lawfully transferring EU personal data to the United States.
It also potentially impacts on other mechanisms used by data controllers to comply with the eighth principle, such as the EU Commission’s model clauses for data transfers and binding corporate rules, both of which are approved by the European Commission and national data protection regulators as mechanisms providing the necessary level of adequacy.
If a scheme agreed between the EU Commission and the Federal Trade Commission does not provide an adequate level of protection from government surveillance, then it is surely impossible for any contractual terms agreed directly between the data exporter and the data importer to achieve that goal. It is not within the gift of a US business to limit the powers of the US intelligence services.
That being the case, any decision on the validity of Safe Harbor could lead to challenges in relation to other transfers of personal data to the US and, indeed, transfers to other countries around the world whose intelligence services enjoy similar rights of access.
The ECJ is likely to issue its final opinion later this year. It will be awaited with interest. In the meantime, discussions continue between the EU and the US in relation to reforms to improve the Safe Harbor regime.
On September 24, 2015