Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Advocate General’s opinion on personal data transfers under the EU/US Safe Harbour scheme

September 28, 2015By Preiskel & Co

The European Commission’s Decision 2000/520/EC of 26 July 2000 (the “Decision”) holds that personal data transferred from the EU to the US under the EU/US Safe Harbour scheme is adequately protected. On 23 September 2015, the Advocate General (the “AG”) advised the European Court of Justice (the “ECJ”) to decide for the invalidity of the Decision. The AG also advised the ECJ to decide that national supervisory authorities should be allowed to investigate and, where appropriate, suspend data transfers to a third country, regardless of the existence of a European Commission’s decision that such third country ensures an adequate level of protection for personal data.

In the meantime, the EU and the US are currently negotiating a new Safe Harbour scheme in order to correct the shortcomings found in the current scheme. The AG observed that, if the Commission decided to enter into negotiations with the US in respect of the Safe Harbour scheme, the Commission had considered beforehand that the level of protection ensured by the US under the safe harbour scheme was no longer adequate.

 

Background of the case

An Austrian citizen user of Facebook lodged a complaint with the Irish data protection authority (the “Irish DP Commissioner”) arguing that, in light of the Edward Snowden’s revelations, the activities of: (i) the US intelligence services, in particular the National Security Agency (the “NSA”); and (ii) the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The complaint was logged in Ireland, which is the location of Facebook’s headquarters in Europe.

The Irish DP Commissioner rejected the complaint on the basis that the Decision concluded that the Safe Harbour scheme ensured an adequate level of protection of the personal data of EU citizens transferred to the US.

The High Court of Ireland, before which the case has been brought, referred to the ECJ in order to ascertain whether the Decision has the effect of preventing a national supervisory authority from: (i) investigating a complaint alleging that a third country does not ensure an adequate level of protection for personal data; and (ii) where appropriate, suspending the contested transfer of data.

The role of the AG

The AG has the role to prepare an independent opinion for the ECJ with regards to the questions referred to it by a national court or tribunal. The AG’s opinion is advisory and do not bind the ECJ, but is usually followed by the ECJ.

The AG analysis

The AG considered that the Member States are entitled to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU (the “Charter”) where systemic deficiencies are found in the third country to which personal data is transferred.

The AG expressed the opinion that the wide access by the US intelligence services to personal data transferred to the US amounts to an interference with the right to respect for private life and the right to protection of personal data guaranteed by the Charter. Moreover, the AG advocated that EU citizens do not have an effective remedy or judicial protection in respect of their personal data transferred to the US.

Potential effects of the incoming ECJ decision

The ECJ will issue its preliminary ruling on the questions referred by the High Court of Ireland. The ECJ will not decide the case itself, as it will be decided by the national court or tribunal. However, the ECJ’s preliminary ruling is binding not only on the national court on whose initiative the reference for a preliminary ruling was made but also on all of the national courts of the EU member states.

The ECJ’s ruling could have significant impact on the data processing arrangements between the EU and US, as US companies usually rely on the Safe Harbour scheme to ensure personal data receives an adequate level of protection within the meaning of the EU Data Protection Directive (95/46/EC).

If the ECJ decides to invalidate the Decision in line with the AG opinion, US companies that receive personal data from the EU would have to quickly reassess their data transfer arrangements to ensure compliance with EU Data Protection principles.

Upcoming framework for EU/US personal data transfer  

There are ongoing negotiations between the EU and the US to amend the existing Safe Harbour scheme and address its shortcomings. The AG opinion may help to speed up this process. It is sensible to assume that both parties will try to avoid the uncertainty that could arise out of the invalidation of the existing Safe Harbour scheme in the event that the Decision is declared invalid.

The EU/US umbrella agreement

The European Commission has recently announced that negotiations on the EU/US data protection “umbrella agreement” have been finalised. The umbrella agreement intends to make sure that the US authorities fully comply with EU data protection principles in the process of personal data transferred from the EU to the US for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism.

 

by Jose Saras and Natalia Porto.

(Jose Saras is a partner at Preiskel & Co LLP and can be contacted here. Natalia Porto is an associate at Preiskel & Co LLP and can be contacted here)

Latest Preiskel & Co blog posts
  • CMA AI Report: The Foundation of the UK’s AI Response
    September 21, 2023
  • Navigating Health Data Compliance: A Roadmap for Employers
    September 21, 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
    September 15, 2023
  • Practical Guide – Net Neutrality in the UK
    September 14, 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause
    September 12, 2023
  • Getting out of a (data) scrape: global statement published for the protection of publicly accessible personal data online
    September 8, 2023
  • The dark side of design: the ICO and CMA call for businesses to rethink their website layouts
    August 18, 2023
  • Could the Supreme Court’s ruling on litigation funding agreements cause havoc for litigation funders?
    August 17, 2023
  • US Threats of a ‘Te(ch)xodus’ from the UK?
    August 17, 2023
  • Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision
    August 4, 2023
  • Unlocking Data Flows: EU-US Data Privacy Framework Receives Adequacy Decision
    July 13, 2023
  • UK’s World Leading Approach on Artificial Intelligence – White Paper outlines 5 guideline principles for responsible use of AI
    July 5, 2023

The Preiskel Blog

  • CMA AI Report: The Foundation of the UK’s AI Response 21 Sep 2023
  • Navigating Health Data Compliance: A Roadmap for Employers 21 Sep 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK 15 Sep 2023
  • Practical Guide – Net Neutrality in the UK 14 Sep 2023

Preiskel news

  • Practical Guide – Net Neutrality in the UK
  • Danny Preiskel featured in GCCM Magazine (June/July 2023 issue 55)  
  • Danny Preiskel moderating a panel at the MEF Connects – The Future of Fraud Prevention event (5th September 2023, hybrid)
  • Preiskel & Co advised TMT Analysis on the acquisition of Phronesis Technologies
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy