This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here).  The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in relation to complaints under the Safe Harbor, but the validity of the Safe Harbor itself; the AG found that the entire Safe Harbor is invalid as it fails to adequately protect personal data transferred from the EU to the United States.


In 2013, following the Snowden revelations, Austrian student Max Schrems filed a complaint with the Irish Data Protection Commission (“Irish DPA”) claiming, in essence, that the law and practices of the U.S. offer no real protection for EU citizens’ personal data kept in the U.S. against State surveillance.  Schrems’ complaint related to his use of Facebook and the transfer of personal data relating to him under the Safe Harbor to Facebook U.S. (Schrems did not allege that Facebook U.S., as a self-certifying entity to which data is transferred, itself violated the Safe Harbor principles because of any access by U.S. authorities to data that Facebook holds.  The Irish High Court acknowledged this, and the AG found that the allegations “do not amount to a breach by Facebook of the safe harbour principles”.)

The Irish DPA considered that he was not required to investigate the complaint on the basis that it was unsustainable in law: Facebook had self-certified under the Safe Harbor regime, and the Commission had decided in Decision 2000/520/EC that under the Safe Harbor scheme the United States ensured an adequate level of protection of the personal data transferred.

Schrems brought proceedings before the High Court in Ireland for judicial review of the Irish DPA’s decision rejecting his complaint.  The Irish High Court, in turn, referred questions to the CJEU, essentially to ascertain whether the Commission’s assessment as to the adequacy of the level of protection, contained in Decision 2000/520, is absolutely binding on national data protection authorities and prevents them from investigating allegations challenging that finding.

Powers of national DPAs

First, the AG concluded that, under EU law, Decision 2000/520 does not prevent national DPAs from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.  The AG came to this conclusion based on a review of several authorities, including relevant provisions of Directive 95/46, prior CJEU precedent, the Charter of Fundamental Rights of the EU, and his interpretation of Commission Decision 2000/520 itself.

The validity of Commission Decision 2000/520

Despite the issue not being expressly referred to the CJEU, the Advocate General considered that the CJEU should determine the validity of Decision 2000/520.  The AG considered that Decision 2000/520 is invalid as it fails to adequately protect personal data transferred from the EU to the U.S.

In the AG’s view, the problem arises primarily from the U.S. use of derogations in the Safe Harbor, which allow for the Safe Harbor principles to be limited in order to meet “national security, public interest or law enforcement requirements” or to address conflicts of law.  The AG noted that (i) there is no independent authority capable of verifying that the implementation of the derogations from the Safe Harbor principles is limited to what is strictly necessary; and (ii) EU citizens do not have means to obtain access to or rectify or erase their data, or administrative or judicial redress with regard to collection and further processing of their personal data by the U.S. security agencies.  Accordingly, Decision 2000/520 does not contain sufficient guarantees or satisfy requirements of the Data Protection Directive (which gives national DPAs certain investigatory and enforcement powers) or the Charter of Fundamental Rights.

What is the impact?

The AG’s Opinion could have an impact on organizations and broader political discussions regarding EU-U.S. data flows.

  • If the CJEU follows the AG’s pinion and rules that the Safe Harbor is invalid, organizations that rely on the Safe Harbor to transfer personal data to the U.S. will have to consider alternative transfer mechanisms in order to transfer personal data lawfully to the United States.  Immediate short-term alternatives are likely to include standard contractual clauses and, in more limited instances, consent.  Binding Corporate Rules are another alternative, but would require more time to put in place.
  • Negotiations on the proposed EU-U.S. Safe Harbor framework are still under way (see our earlier posts here and here).  It will be interesting to observe the impact that the AG’s findings have on these negotiations, particularly regarding requirements that the AG states the U.S. should put in place and about the independence of national DPAs vis-à-vis the Commission.

Also, for those of you wondering if the proposed Regulation may provide a solution, this seems unlikely.  The AG bases some of his findings on provisions of the current Data Protection Directive, but also refers quite extensively to primary EU law, i.e., Articles 7, 8 and 47 of the Charter of Fundamental Rights.  Replacing the Directive with the Regulation would not address more fundamental objections that are based on the Charter.

Next steps

The CJEU will now review the AG’s Opinion, and in the ordinary course of events can be expected to issue its judgment in 5-7 weeks’ time, i.e., at the very end of October, or early November.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.