By Daniel L. Farris
EU Advocate General Yves Bot sent shockwaves through the Privacy and Data Security community Wednesday when he issued an opinion to the European Court of Justice that suggested the entire US-EU Safe Harbor framework should be struck down, and further that Data Protection Authorities (DPAs) of member states must be permitted to independently investigate and enforce European data protections standards against companies engaged in transatlantic data transfers, regardless of Safe Harbor certification. The opinion – while non-binding – will empower DPAs to increase oversight and enforcement activity against companies transmitting data from the EU to the US. Any organization relying on Safe Harbor to support transatlantic data flows should take note, and should consider alternatives to Safe Harbor to support such transfers.
Safe Harbor and the Data Protection Directive
European Union Directive 95/46/EC, known as the “Data Protection Directive” (Directive), was adopted by the European Union in 1995. The Directive sets forth requirements for the protection of individual privacy with regard to the collection, storage, processing, and use of personal data, including limits on the free movement of such personal data. The EU considers privacy rights to be fundamental, including those covered by the Directive, and requires all member states to enact and enforce privacy and data protection laws at least as protective as the Directive (See Article 8(3) of the EU Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union). A key element of the Directive prohibits the transfer of personal data outside of the EU to any country that does not maintain privacy laws at least as protective as the requirements of the Directive. The United States does not have any such law.
From the beginning, Europeans expressed doubt about Safe Harbor. In 2000, however, the European Commission issued Decision 2000/520, which found that the Safe Harbor Agreement provided adequate protection to the privacy of European citizens. Since then, member state DPAs have been hesitant to independently examine transfers of data under Safe Harbor principles.
Schrems v Data Protection Commissioner Background
In June 2013, an Austrian law graduate named Max Schrems filed a complaint with the Irish DPA, alleging that Facebook’s transfer of data from its Irish subsidiary to the United States violated his privacy, as well as Safe Harbor, in light of Edward Snowden’s revelations about the National Security Agency’s unfettered access and collection of records stored on US servers pursuant to PRISM. The Irish DPA refused to take up the case in light of the European Commission’s Decision 2000/520. The rejection was challenged in the Irish High Court, which referred two questions to the EU Court of Justice. Both questions sought clarification about whether member state DPAs are bound by Decision 2000/520, and whether, or to what extent, DPAs should or must independently investigate Safe Harbor related complaints. The case was heard before the EU Court of Justice in May of this year, and AG Bot issued his opinion yesterday.
It is important to note that the opinion is not a judgment, and it is not binding. Instead, the EU Court of Justice relies on advocates general to act with “complete impartiality and independence” in issuing guidance and advice. That said, the EU Court of Justice adopts the opinion of the advocate general in approximately 85% of cases. The EU Court of Justice decision is expected to follow within the next few weeks to months.
The Bot Opinion
In his Opinion, AG Bot first determines that Decision 2000/520, finding that the Safe Harbor Agreement provides adequate privacy protection, does not bar member country DPAs from investigating privacy complaints like Schrem’s. To find otherwise would violate the EU “principle of independence,” Bot said.
Having answered the central question at issue, however, Bot went further, taking the position that Decision 2000/520 is no longer valid, and that Safe Harbor as a framework does not provide an adequate level of data protection, and should therefore be invalidated in its entirety.
Should the EU Court of Justice adopt the Bot Opinion, the impact on US-EU data transfers could be significant, to say the least. Striking down the Safe Harbor Agreement would cause material disruption to settled global data protection compliance programs, could impact international trade, and may affect internal data flows and established business relationships amongst partners. Thousands of US companies rely on Safe Harbor to legally move data between the United States and Europe. Potentially, those transfers could become illegal, at least as currently processed, within a matter of weeks or months. At the very least, companies relying on Safe Harbor to transfer data can reasonably expect a sizable uptick in regulatory enforcement campaigns, investigations, and potentially fines or suspensions of data transfers from member state DPAs.
US companies relying on Safe Harbor should prepare for material increases in regulatory compliance spending and activity as it relates to data transfers from Europe. Organizations that are certified Safe Harbor compliant should consider internal audits to ensure that business practices actually align with stated privacy policies and the Safe Harbor Privacy Principles. Ensuring minimization of data and use, adequate data security measures and access controls, data quality, and meaningful oversight of privacy practices will be critical in any investigation.
With time left before the EU Court of Justice renders a decision, companies relying on Safe Harbor compliance should also consider alternative arrangements to transmit data from the EU to the US. Perhaps the best alternative is the adoption of Binding Corporate Rules that comply with the Data Protection Directive. Binding Corporate Rules are typically complex and time consuming, however, sometimes taking a year or more to draft, adopt, and secure approval from European regulators. An additional alternative includes the creation of model data protection agreements for execution with trading partners, though this option may not totally alleviate regulatory oversight either, and increases administrative and legal costs on the front end of deals.
Regardless of the preferred option, companies should not sit idly by and wait. Use the time you have to ensure your own compliance and develop a Plan B while you monitor the EU Court of Justice for a decision in the Schrems case.
For More Information
For assistance in understanding how the Bot Opinion may affect your company, auditing privacy and data security compliance programs, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security team member.
By Daniel L. Farris