Under current EU data protection law, there is a general prohibition on transferring personal data to a country outside the European Economic Area (EEA) unless that country ensures an “adequate level of protection” for the personal data.
The European Commission has certified that a number of non-EEA countries do provide “adequate protection”. In relation to the US, it has developed Safe Harbor, an arrangement whereby US companies can themselves be certified as providing adequate protection. Provided a US company has a Safe Harbor certification, the transfer of personal data to it is permitted.
However, the Safe Harbor arrangements have been heavily criticised since Edward Snowden’s revelations about US security agencies accessing personal data on a mass scale. The European Commission has been engaged in a lengthy negotiation with US authorities about how Safe Harbor operates with a view to improving the protection it gives EU citizens. Whilst the EU Parliament has called for the suspension of Safe Harbor, the Commission’s position has been to keep it in place pending the outcome of the current negotiations.
The current case arose when an Austrian individual challenged Facebook’s transfer of his personal data from its Irish subsidiary to its servers in the US. He argued that the Irish data protection authority (“DPA”) should have prevented the transfer on the basis that the US no longer ensures an adequate level of protection in light of Mr Snowden’s revelations.
The dispute has now found its way to the CJEU. Prior to the Court’s judgment being issued, the Advocate General has issued his non-binding Opinion.
He decided that the current Safe Harbor arrangements are incompatible with the fundamental principles of EU law protecting personal data and are therefore invalid. In broad terms, this was because:
- The mass surveillance and interception operations revealed by Mr Snowden constituted a clear interference with the privacy rights of individuals;
- Such interference could not be justified on the grounds of national security. By collecting personal data in bulk and without requiring suspicion that an individual was a threat to national security, the data collection could not be considered proportionate or necessary;
- The Safe Harbor arrangements did not provide adequate safeguards against interference by US law enforcement or security agencies. The current arrangements have a general exception for national security issues, the use of which cannot be effectively monitored; and
- EU citizens do not have rights in the US to challenge the gathering of their data by security agencies, and therefore their rights cannot be protected.
The AG’s Opinion is not binding on the CJEU which will make the final determination as to the status of Safe Harbor. The Court will usually (but not always) follow the AG’s Opinion.
Current cross-border transfers
Given the uncertain status of the Safe Harbor arrangements, it may be preferable for EU businesses transferring personal data to the US to use an alternative means of ensuring “adequacy” (e.g. by using the Commission’s Standard Contractual Clauses).
Where Safe Harbor is used and relied upon, businesses should consider putting in place contractual provisions permitting them to replace Safe Harbor as a transfer mechanism should it be deemed invalid, or be suspended or terminated.