Today, the Advocate General of the Court of Justice of the European Union (CJEU, the EU's highest court) issued a far-reaching opinion¹ that has significant implications for the EU-U.S. Safe Harbor program and data transfers between the EU and the U.S. The opinion was issued in Maximillian Schrems v. Data Protection Commissioner, a case in which Schrems challenges Facebook's use of the Safe Harbor framework as a valid legal mechanism to transfer EU personal data to the U.S.

The Advocate General's (AG's) opinion urges the CJEU to rule that EU national data protection authorities (DPAs) have the power to suspend data transfers to Safe Harbor-certified companies in the U.S. and that the Safe Harbor framework is invalid. Given the widespread reliance on the Safe Harbor framework by companies in both the U.S. and EU, the CJEU's adoption of this recommendation would result in significant upheaval of the current environment of data transfers between the two regions.

The AG's opinion is the final step before the court issues its final decision, which is expected soon. While the opinion is not binding on the CJEU, it will certainly be influential. This WSGR Alert provides background on the case, information on the AG's opinion, and the practical implications for companies doing business in the EU.

Background

EU data protection law prohibits the transfer of personal data outside of the EU, unless the data recipient is located in a country that is deemed to provide an adequate level of protection under EU law or there is a legal mechanism in place to provide such adequate level of protection. The U.S. is not considered to provide an adequate level of protection under EU law.

The U.S.-EU Safe Harbor framework is a mechanism that provides a legal basis for data transfers between the EU and the U.S. It was developed by the U.S. Department of Commerce in consultation with the European Commission (which is the EU's executive arm) and was formally recognized as a valid data transfer mechanism by the European Commission's Adequacy Decision of 2000.² It includes seven privacy principles and fifteen FAQs that companies must comply with in order to self-certify to the Safe Harbor framework. By self-certifying, companies voluntarily and publicly commit to abiding by these privacy principles, which are then enforced by the FTC.

The Schrems case was brought in the wake of the revelations concerning the National Security Agency's (NSA's) mass surveillance program. In 2013, an Austrian student, Max Schrems, filed a complaint with the Irish DPA,³ requesting that it investigate Facebook's practices and suspend data transfers to Facebook in the U.S. According to Schrems, the Safe Harbor framework was not providing an adequate level of protection to EU personal data. However, the Irish DPA considered itself to be bound by the European Commission's Adequacy Decision on Safe Harbor and rejected Schrems' complaint. Schrems appealed the DPA's decision to the Irish High Court, which asked the CJEU to clarify whether or not a national DPA is bound by the European Commission's Adequacy Decision.

The Schrems case is set against a background of general criticism of Safe Harbor in the EU. On November 27, 2013, the European Commission issued 13 recommendations to enhance the Safe Harbor framework.⁴ As a result, the EU and the U.S. engaged in negotiations regarding the Safe Harbor framework. However, these negotiations have not yet reached a conclusion.

The Advocate General's Opinion and What It Means in Practice

• The AG's opinion gives national data protection authorities the power to suspend data transfers to the U.S., even though they are covered by the Safe Harbor program. According to the opinion, EU DPAs should investigate claims related to international data transfers, even if these transfers are made in accordance with an EU adequacy decision, such as the one for Safe Harbor. If the conclusion of the investigation is that EU personal data lacks protection abroad, DPAs are allowed to order the suspension of the data transfers. In practice, this would give significant powers to local DPAs, and there is a major risk of fragmentation of the EU internal market. In addition, whether or not transfers are allowed under the Safe Harbor framework would become a matter of national law. We could thus expect that some DPAs that are habitually rather flexible will allow data transfers under the Safe Harbor, while others that are usually more strict will suspend or prohibit data transfers.
• The AG's opinion states that the European Commission's Adequacy Decision on Safe Harbor is invalid. The opinion thus goes beyond the question raised by the Irish court (i.e., whether national DPAs are bound by the commission's Adequacy Decision on Safe Harbor) and suggests invalidating Safe Harbor as such in light of the NSA mass surveillance revelations. In particular, the AG criticizes the broad national security exception foreseen by the Safe Harbor framework, on the basis of which personal data can be disclosed to U.S. law enforcement authorities. The AG states that this exception allows for disproportionate access to EU personal data, does not provide EU citizens with appropriate remedy or redress, does not provide for an independent control mechanism to prevent privacy violations, and allows for secretive access to EU personal data.
• The AG's opinion is a recommendation made to the CJEU, and is not binding on the CJEU. It does not constitute a final decision. The final decision is expected later this year. Therefore, for the time being, the U.S.-EU Safe Harbor framework is still a valid mechanism for transferring personal data to the U.S. However, we can expect that some companies in the EU will be reluctant to rely on the Safe Harbor framework to transfer personal data to the U.S.
• While the CJEU generally follow AGs' opinions, it remains to be seen what position the CJEU will take in this case. In some recent data protection cases, the CJEU has departed from AG opinions and reached stricter conclusions. It seems unlikely that the CJEU will take a softer approach to this matter, but hopefully it will bring some nuances, which are absent from the AG opinion.
• This AG opinion is likely to have an impact on the ongoing negotiations between the EU and the U.S on Safe Harbor. In the short term, it seems likely that the U.S. Department of Commerce and the European Commission will issue statements in response to the AG opinion. In a best-case scenario, both sides of the Atlantic will reach an agreement soon and improve the Safe Harbor to a level sufficient to address the concerns of the AG opinion (and in particular limit the national security exception). If there is a new Safe Harbor framework agreed upon before the CJEU decision, the court may take the changes into account and issue a more nuanced judgment.

Conclusion

This case is of great importance, as it will have a significant impact on the Safe Harbor framework and the ability of U.S. companies to import EU personal data. In light of the AG's opinion, companies should start planning ahead and assessing alternative options for data transfers in case the Safe Harbor framework is invalidated or made much stricter as a consequence of the CJEU decision expected later this year. Changing data transfer strategies takes time and should be planned in advance.

We are monitoring this case and the EU-U.S. negotiations closely, and will update you on any new developments.

¹ See Opinion of the Advocate General Bot, delivered on September 23, 2015, in Case C362/14 Maximillian Schrems v Data Protection Commissioner (request for a preliminary ruling from the High Court (Ireland)), available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf.