Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Advocate General’s opinion on personal data transfers under the EU/US Safe Harbour scheme

September 28, 2015By Preiskel & Co

The European Commission’s Decision 2000/520/EC of 26 July 2000 (the “Decision”) holds that personal data transferred from the EU to the US under the EU/US Safe Harbour scheme is adequately protected. On 23 September 2015, the Advocate General (the “AG”) advised the European Court of Justice (the “ECJ”) to decide for the invalidity of the Decision. The AG also advised the ECJ to decide that national supervisory authorities should be allowed to investigate and, where appropriate, suspend data transfers to a third country, regardless of the existence of a European Commission’s decision that such third country ensures an adequate level of protection for personal data.

In the meantime, the EU and the US are currently negotiating a new Safe Harbour scheme in order to correct the shortcomings found in the current scheme. The AG observed that, if the Commission decided to enter into negotiations with the US in respect of the Safe Harbour scheme, the Commission had considered beforehand that the level of protection ensured by the US under the safe harbour scheme was no longer adequate.

 

Background of the case

An Austrian citizen user of Facebook lodged a complaint with the Irish data protection authority (the “Irish DP Commissioner”) arguing that, in light of the Edward Snowden’s revelations, the activities of: (i) the US intelligence services, in particular the National Security Agency (the “NSA”); and (ii) the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The complaint was logged in Ireland, which is the location of Facebook’s headquarters in Europe.

The Irish DP Commissioner rejected the complaint on the basis that the Decision concluded that the Safe Harbour scheme ensured an adequate level of protection of the personal data of EU citizens transferred to the US.

The High Court of Ireland, before which the case has been brought, referred to the ECJ in order to ascertain whether the Decision has the effect of preventing a national supervisory authority from: (i) investigating a complaint alleging that a third country does not ensure an adequate level of protection for personal data; and (ii) where appropriate, suspending the contested transfer of data.

The role of the AG

The AG has the role to prepare an independent opinion for the ECJ with regards to the questions referred to it by a national court or tribunal. The AG’s opinion is advisory and do not bind the ECJ, but is usually followed by the ECJ.

The AG analysis

The AG considered that the Member States are entitled to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU (the “Charter”) where systemic deficiencies are found in the third country to which personal data is transferred.

The AG expressed the opinion that the wide access by the US intelligence services to personal data transferred to the US amounts to an interference with the right to respect for private life and the right to protection of personal data guaranteed by the Charter. Moreover, the AG advocated that EU citizens do not have an effective remedy or judicial protection in respect of their personal data transferred to the US.

Potential effects of the incoming ECJ decision

The ECJ will issue its preliminary ruling on the questions referred by the High Court of Ireland. The ECJ will not decide the case itself, as it will be decided by the national court or tribunal. However, the ECJ’s preliminary ruling is binding not only on the national court on whose initiative the reference for a preliminary ruling was made but also on all of the national courts of the EU member states.

The ECJ’s ruling could have significant impact on the data processing arrangements between the EU and US, as US companies usually rely on the Safe Harbour scheme to ensure personal data receives an adequate level of protection within the meaning of the EU Data Protection Directive (95/46/EC).

If the ECJ decides to invalidate the Decision in line with the AG opinion, US companies that receive personal data from the EU would have to quickly reassess their data transfer arrangements to ensure compliance with EU Data Protection principles.

Upcoming framework for EU/US personal data transfer  

There are ongoing negotiations between the EU and the US to amend the existing Safe Harbour scheme and address its shortcomings. The AG opinion may help to speed up this process. It is sensible to assume that both parties will try to avoid the uncertainty that could arise out of the invalidation of the existing Safe Harbour scheme in the event that the Decision is declared invalid.

The EU/US umbrella agreement

The European Commission has recently announced that negotiations on the EU/US data protection “umbrella agreement” have been finalised. The umbrella agreement intends to make sure that the US authorities fully comply with EU data protection principles in the process of personal data transferred from the EU to the US for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism.

 

by Jose Saras and Natalia Porto.

(Jose Saras is a partner at Preiskel & Co LLP and can be contacted here. Natalia Porto is an associate at Preiskel & Co LLP and can be contacted here)

Latest Preiskel & Co blog posts
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights
    January 19, 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU
    January 12, 2023
  • Saving the WWW from the W3C
    December 20, 2022
  • Imminent US adequacy decision to be met by legal challenges from privacy advocates
    December 13, 2022
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
    December 13, 2022
  • Telecoms Security Framework (TSF) – Background and Requirements
    December 8, 2022
  • Updated EU Commission decision paves way for 5G on the road and in-flight connectivity innovation
    November 29, 2022
  • Controller Binding Corporate Rules – EDPB adopts new recommendations on the application for approval and the elements and principles of the Rules
    November 25, 2022
  • ICO reveals new transfer risk assessment tool
    November 25, 2022
  • Ofcom publishes new rules for telecoms providers to combat scam calls
    November 23, 2022
  • The Future Is Now: The Disruptive Power of AI and Its Legal Ramifications in The Metaverse
    November 9, 2022
  • CJEU clarifies the interpretation of purpose and storage limitation principles under the GDPR
    October 27, 2022

The Preiskel Blog

  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights 19 Jan 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU 12 Jan 2023
  • Saving the WWW from the W3C 20 Dec 2022
  • Imminent US adequacy decision to be met by legal challenges from privacy advocates 13 Dec 2022

Preiskel news

  • Preiskel & Co’s corporate team advised IXAfrica regarding a highly significant technology infrastructure investment for East Africa
  • Preiskel & Co’s Technology M&A Global Practice Guide published by Chambers
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
  • Preiskel & Co ranked in Chambers for FinTech Legal, Data Protection and Cyber Security
Preiskel tweets
  • Important decision impacting how companies must provide personal data requested by data subjects under their access… https://t.co/J39PFCbg0I7 days ago
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU. Find out more here: https://t.co/Or9NlgMfXT #CyberSecurity14 days ago
  • Preiskel & Co’s corporate team advised IXAfrica regarding a highly significant technology infrastructure investment… https://t.co/iAVpUxhttj17 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy