This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here).  The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in relation to complaints under the Safe Harbor, but the validity of the Safe Harbor itself; the AG found that the entire Safe Harbor is invalid as it fails to adequately protect personal data transferred from the EU to the United States.

Background

In 2013, following the Snowden revelations, Austrian student Max Schrems filed a complaint with the Irish Data Protection Commission (“Irish DPA”) claiming, in essence, that the law and practices of the U.S. offer no real protection for EU citizens’ personal data kept in the U.S. against State surveillance.  Schrems’ complaint related to his use of Facebook and the transfer of personal data relating to him under the Safe Harbor to Facebook U.S. (Schrems did not allege that Facebook U.S., as a self-certifying entity to which data is transferred, itself violated the Safe Harbor principles because of any access by U.S. authorities to data that Facebook holds.  The Irish High Court acknowledged this, and the AG found that the allegations “do not amount to a breach by Facebook of the safe harbour principles”.)

The Irish DPA considered that he was not required to investigate the complaint on the basis that it was unsustainable in law: Facebook had self-certified under the Safe Harbor regime, and the Commission had decided in Decision 2000/520/EC that under the Safe Harbor scheme the United States ensured an adequate level of protection of the personal data transferred.

Schrems brought proceedings before the High Court in Ireland for judicial review of the Irish DPA’s decision rejecting his complaint.  The Irish High Court, in turn, referred questions to the CJEU, essentially to ascertain whether the Commission’s assessment as to the adequacy of the level of protection, contained in Decision 2000/520, is absolutely binding on national data protection authorities and prevents them from investigating allegations challenging that finding.

Powers of national DPAs

First, the AG concluded that, under EU law, Decision 2000/520 does not prevent national DPAs from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.  The AG came to this conclusion based on a review of several authorities, including relevant provisions of Directive 95/46, prior CJEU precedent, the Charter of Fundamental Rights of the EU, and his interpretation of Commission Decision 2000/520 itself.

The validity of Commission Decision 2000/520

Despite the issue not being expressly referred to the CJEU, the Advocate General considered that the CJEU should determine the validity of Decision 2000/520.  The AG considered that Decision 2000/520 is invalid as it fails to adequately protect personal data transferred from the EU to the U.S.

In the AG’s view, the problem arises primarily from the U.S. use of derogations in the Safe Harbor, which allow for the Safe Harbor principles to be limited in order to meet “national security, public interest or law enforcement requirements” or to address conflicts of law.  The AG noted that (i) there is no independent authority capable of verifying that the implementation of the derogations from the Safe Harbor principles is limited to what is strictly necessary; and (ii) EU citizens do not have means to obtain access to or rectify or erase their data, or administrative or judicial redress with regard to collection and further processing of their personal data by the U.S. security agencies.  Accordingly, Decision 2000/520 does not contain sufficient guarantees or satisfy requirements of the Data Protection Directive (which gives national DPAs certain investigatory and enforcement powers) or the Charter of Fundamental Rights.

What is the impact?

The AG’s Opinion could have an impact on organizations and broader political discussions regarding EU-U.S. data flows.

  • If the CJEU follows the AG’s pinion and rules that the Safe Harbor is invalid, organizations that rely on the Safe Harbor to transfer personal data to the U.S. will have to consider alternative transfer mechanisms in order to transfer personal data lawfully to the United States.  Immediate short-term alternatives are likely to include standard contractual clauses and, in more limited instances, consent.  Binding Corporate Rules are another alternative, but would require more time to put in place.
  • Negotiations on the proposed EU-U.S. Safe Harbor framework are still under way (see our earlier posts here and here).  It will be interesting to observe the impact that the AG’s findings have on these negotiations, particularly regarding requirements that the AG states the U.S. should put in place and about the independence of national DPAs vis-à-vis the Commission.

Also, for those of you wondering if the proposed Regulation may provide a solution, this seems unlikely.  The AG bases some of his findings on provisions of the current Data Protection Directive, but also refers quite extensively to primary EU law, i.e., Articles 7, 8 and 47 of the Charter of Fundamental Rights.  Replacing the Directive with the Regulation would not address more fundamental objections that are based on the Charter.

Next steps

The CJEU will now review the AG’s Opinion, and in the ordinary course of events can be expected to issue its judgment in 5-7 weeks’ time, i.e., at the very end of October, or early November.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.