Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Advocate General’s opinion on personal data transfers under the EU/US Safe Harbour scheme

September 28, 2015By Preiskel & Co

The European Commission’s Decision 2000/520/EC of 26 July 2000 (the “Decision”) holds that personal data transferred from the EU to the US under the EU/US Safe Harbour scheme is adequately protected. On 23 September 2015, the Advocate General (the “AG”) advised the European Court of Justice (the “ECJ”) to decide for the invalidity of the Decision. The AG also advised the ECJ to decide that national supervisory authorities should be allowed to investigate and, where appropriate, suspend data transfers to a third country, regardless of the existence of a European Commission’s decision that such third country ensures an adequate level of protection for personal data.

In the meantime, the EU and the US are currently negotiating a new Safe Harbour scheme in order to correct the shortcomings found in the current scheme. The AG observed that, if the Commission decided to enter into negotiations with the US in respect of the Safe Harbour scheme, the Commission had considered beforehand that the level of protection ensured by the US under the safe harbour scheme was no longer adequate.

 

Background of the case

An Austrian citizen user of Facebook lodged a complaint with the Irish data protection authority (the “Irish DP Commissioner”) arguing that, in light of the Edward Snowden’s revelations, the activities of: (i) the US intelligence services, in particular the National Security Agency (the “NSA”); and (ii) the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The complaint was logged in Ireland, which is the location of Facebook’s headquarters in Europe.

The Irish DP Commissioner rejected the complaint on the basis that the Decision concluded that the Safe Harbour scheme ensured an adequate level of protection of the personal data of EU citizens transferred to the US.

The High Court of Ireland, before which the case has been brought, referred to the ECJ in order to ascertain whether the Decision has the effect of preventing a national supervisory authority from: (i) investigating a complaint alleging that a third country does not ensure an adequate level of protection for personal data; and (ii) where appropriate, suspending the contested transfer of data.

The role of the AG

The AG has the role to prepare an independent opinion for the ECJ with regards to the questions referred to it by a national court or tribunal. The AG’s opinion is advisory and do not bind the ECJ, but is usually followed by the ECJ.

The AG analysis

The AG considered that the Member States are entitled to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU (the “Charter”) where systemic deficiencies are found in the third country to which personal data is transferred.

The AG expressed the opinion that the wide access by the US intelligence services to personal data transferred to the US amounts to an interference with the right to respect for private life and the right to protection of personal data guaranteed by the Charter. Moreover, the AG advocated that EU citizens do not have an effective remedy or judicial protection in respect of their personal data transferred to the US.

Potential effects of the incoming ECJ decision

The ECJ will issue its preliminary ruling on the questions referred by the High Court of Ireland. The ECJ will not decide the case itself, as it will be decided by the national court or tribunal. However, the ECJ’s preliminary ruling is binding not only on the national court on whose initiative the reference for a preliminary ruling was made but also on all of the national courts of the EU member states.

The ECJ’s ruling could have significant impact on the data processing arrangements between the EU and US, as US companies usually rely on the Safe Harbour scheme to ensure personal data receives an adequate level of protection within the meaning of the EU Data Protection Directive (95/46/EC).

If the ECJ decides to invalidate the Decision in line with the AG opinion, US companies that receive personal data from the EU would have to quickly reassess their data transfer arrangements to ensure compliance with EU Data Protection principles.

Upcoming framework for EU/US personal data transfer  

There are ongoing negotiations between the EU and the US to amend the existing Safe Harbour scheme and address its shortcomings. The AG opinion may help to speed up this process. It is sensible to assume that both parties will try to avoid the uncertainty that could arise out of the invalidation of the existing Safe Harbour scheme in the event that the Decision is declared invalid.

The EU/US umbrella agreement

The European Commission has recently announced that negotiations on the EU/US data protection “umbrella agreement” have been finalised. The umbrella agreement intends to make sure that the US authorities fully comply with EU data protection principles in the process of personal data transferred from the EU to the US for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism.

 

by Jose Saras and Natalia Porto.

(Jose Saras is a partner at Preiskel & Co LLP and can be contacted here. Natalia Porto is an associate at Preiskel & Co LLP and can be contacted here)

Latest Preiskel & Co blog posts
  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed
    April 28, 2022
  • TikTok Class action for the Misuse of Child Personal Data
    April 28, 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018
    April 20, 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK
    April 19, 2022
  • Meta hit by 17 million euro fine by Irish regulator
    April 19, 2022
  • Ofcom has mandated that telecoms providers ensure British Sign Language (BSL) for 999
    March 18, 2022
  • Ofcom publishes statement on the future of telephone numbers
    March 15, 2022
  • German court sends biometric data questions to the ECJ
    February 23, 2022
  • Meta fined £1.5m by CMA
    February 7, 2022
  • International data transfer agreement and addendum laid before Parliament
    February 4, 2022
  • CMA publishes statement of scope in music and streaming market study
    February 1, 2022
  • Google Privacy Sandbox faces European Commission complaint from German publishers
    January 24, 2022

The Preiskel Blog

  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed 28 Apr 2022
  • TikTok Class action for the Misuse of Child Personal Data 28 Apr 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018 20 Apr 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK 19 Apr 2022

Preiskel news

  • Daniel Preiskel and Xavier Prida lecturing to Academia Mexicana del Derecho Informático and Abogado Digital
  • Preiskel & Co advises Mexico-based premium content production company Dopamine
  • Danny Preiskel was ranked as a Global Elite Thought Leader in Telecoms & Media by WhosWhoLegal Data 2022
  • Danny Preiskel featured in GCCM (Global Carrier Community Magazine)
Preiskel tweets
  • @jwrosewell @m4aow @w3c @IABTechLab Our pleasure!62 days ago
  • RT @jwrosewell: Great work from @Preiskel and the whole @m4aow team. Thank you. Much for @w3c, @IABTechLab, and others to consider in this…62 days ago
  • RT @TC_4KBW: Google’s battle with publishers shows that at every turn it seeks to block others from competing. it blocked header bidding, b…62 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2022 | Site map | Legal notices | Privacy | Cookie Policy | Privacy | Fraud Notice