One of Europe’s most senior lawyers, Advocate General Bot, today declared the EU-US Safe Harbour regime invalid. His opinion has profound implications for organisations transferring personal data to the US or importing personal data from Europe. Olswang explains the practical implications for companies transferring personal data from Europe to the US.
What is safe harbour?
The Data Protection Directive (95/46/EC) requires companies which collect personal data relating to EU citizens to retain such data within the European Economic Area unless it is being transferred to a jurisdiction which ensures ‘adequate’ protection for such personal data. Adequacy can be established in a number of ways, one of which is a declaration of approval of a particular jurisdiction’s regime for protecting personal data by the European Commission.
In a decision of 26 July 2000, the European Commission declared that the safe harbour scheme established with the US provided adequate protection of personal data and since then the scheme has been widely adopted to justify transfers of personal data to US organisations certified within safe harbour.
Why does AG Bot argue that safe harbour is invalid?
A lot has happened in the data and intelligence world since 2000 which has led to mounting pressure on the existing safe harbour regime.
In 2013, widely publicised revelations by Edward Snowden detailed the ability of US intelligence agencies to undertake mass and indiscriminate surveillance without effective judicial oversight, including accessing personal data relating to EU citizens which had been transferred to or stored in the US.
Today, AG Bot declared that the Snowden revelations revealed that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection”. AG Bot considered that such collection of and access to personal data is inconsistent with the fundamental rights for the respect for private life and the protection of personal data as set out within the European Charter. He argued that the lack of judicial oversight and process available to EU citizens in respect of such data collection and access also interferes with the right of EU citizens to an effective remedy, also guaranteed by the European Charter. Due to these infringements of the fundamental rights of EU Citizens, AG Bot concluded that the safe harbour scheme does not ensure adequate protection of personal data as required by the Directive.
In an attack on the jurisdiction of the Commission to bind data protection authorities of Member States, AG Bot also argued that the assessment of adequacy should be a matter for each national data protection authority to determine and the Commission is not empowered to restrict the ability for national authorities to suspend transfers of personal data where a national authority does not believe that sufficient protections are in place in the recipient jurisdiction to protect such data. As such, blanket binding decisions such as approval of adequacy should not result in any complaints made by EU Citizens against the protections present in the recipient jurisdiction being summarily dismissed – national supervisory authorities should consider such complaints and be free to act upon them in relation to data transfer if proven to be justified.
It is important to note that AG Bot specifically stated that his decision does not mean that companies currently relying upon safe harbour which have granted access to the US authorities are in breach of the safe harbour principles – it may be considered that such access is required to comply with US laws; a situation which is specifically provided for within the safe harbour scheme. The issue in point here is whether the safe harbour regime as a whole is consistent with the requirements of the Data Protection Directive and the European Charter in light of the Snowden revelations.
Is the opinion law?
No. The issue will be finally determined by Europe’s highest, the Court of Justice of the European Union. Although the Advocate General’s opinion is not binding upon the European Court of Justice, it is extremely influential.
What does the opinion mean for companies relying upon safe harbour?
Safe harbour is under sustained attack from various data protection authorities in Europe and from Advocate General Bot. Now is the time to take action if you are currently relying on safe harbour to justify transfers.
There are alternative ways of ensuring adequate protection for personal data relating to EU citizens, such as implementing binding corporate rules or executing model clauses between the data exporter and data importer. Consent may also justify certain transfers to the US. Currently, these alternatives remain effective ways of meeting the requirements of the Data Protection Directive where transfer of personal data outside the EEA is necessary.
Companies exporting or importing EU personal data into the EU should make sure they review their transfer arrangements and look to implement appropriate alternative compliance solutions as a back-up.
For more information or to discuss your options going forward, contact Ross McKean (in London) email@example.com / Sylvie Rousseau (in Brussels and Paris) firstname.lastname@example.org / Andy Splittgerber (in Munich) email@example.com or Blanca Escribano (in Madrid) firstname.lastname@example.org.