The European Commission’s Decision 2000/520/EC of 26 July 2000 (the “Decision”) holds that personal data transferred from the EU to the US under the EU/US Safe Harbour scheme is adequately protected. On 23 September 2015, the Advocate General (the “AG”) advised the European Court of Justice (the “ECJ”) to decide for the invalidity of the Decision. The AG also advised the ECJ to decide that national supervisory authorities should be allowed to investigate and, where appropriate, suspend data transfers to a third country, regardless of the existence of a European Commission’s decision that such third country ensures an adequate level of protection for personal data.
In the meantime, the EU and the US are currently negotiating a new Safe Harbour scheme in order to correct the shortcomings found in the current scheme. The AG observed that, if the Commission decided to enter into negotiations with the US in respect of the Safe Harbour scheme, the Commission had considered beforehand that the level of protection ensured by the US under the safe harbour scheme was no longer adequate.
Background of the case
An Austrian citizen user of Facebook lodged a complaint with the Irish data protection authority (the “Irish DP Commissioner”) arguing that, in light of the Edward Snowden’s revelations, the activities of: (i) the US intelligence services, in particular the National Security Agency (the “NSA”); and (ii) the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The complaint was logged in Ireland, which is the location of Facebook’s headquarters in Europe.
The Irish DP Commissioner rejected the complaint on the basis that the Decision concluded that the Safe Harbour scheme ensured an adequate level of protection of the personal data of EU citizens transferred to the US.
The High Court of Ireland, before which the case has been brought, referred to the ECJ in order to ascertain whether the Decision has the effect of preventing a national supervisory authority from: (i) investigating a complaint alleging that a third country does not ensure an adequate level of protection for personal data; and (ii) where appropriate, suspending the contested transfer of data.
The role of the AG
The AG has the role to prepare an independent opinion for the ECJ with regards to the questions referred to it by a national court or tribunal. The AG’s opinion is advisory and do not bind the ECJ, but is usually followed by the ECJ.
The AG analysis
The AG considered that the Member States are entitled to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU (the “Charter”) where systemic deficiencies are found in the third country to which personal data is transferred.
The AG expressed the opinion that the wide access by the US intelligence services to personal data transferred to the US amounts to an interference with the right to respect for private life and the right to protection of personal data guaranteed by the Charter. Moreover, the AG advocated that EU citizens do not have an effective remedy or judicial protection in respect of their personal data transferred to the US.
Potential effects of the incoming ECJ decision
The ECJ will issue its preliminary ruling on the questions referred by the High Court of Ireland. The ECJ will not decide the case itself, as it will be decided by the national court or tribunal. However, the ECJ’s preliminary ruling is binding not only on the national court on whose initiative the reference for a preliminary ruling was made but also on all of the national courts of the EU member states.
The ECJ’s ruling could have significant impact on the data processing arrangements between the EU and US, as US companies usually rely on the Safe Harbour scheme to ensure personal data receives an adequate level of protection within the meaning of the EU Data Protection Directive (95/46/EC).
If the ECJ decides to invalidate the Decision in line with the AG opinion, US companies that receive personal data from the EU would have to quickly reassess their data transfer arrangements to ensure compliance with EU Data Protection principles.
Upcoming framework for EU/US personal data transfer
There are ongoing negotiations between the EU and the US to amend the existing Safe Harbour scheme and address its shortcomings. The AG opinion may help to speed up this process. It is sensible to assume that both parties will try to avoid the uncertainty that could arise out of the invalidation of the existing Safe Harbour scheme in the event that the Decision is declared invalid.
The EU/US umbrella agreement
The European Commission has recently announced that negotiations on the EU/US data protection “umbrella agreement” have been finalised. The umbrella agreement intends to make sure that the US authorities fully comply with EU data protection principles in the process of personal data transferred from the EU to the US for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism.
by Jose Saras and Natalia Porto.