The 1995 EU Privacy Directive 95/46/EC provides that personal data of say, employees, to third countries, like the United States, may only be done with employee consent and only where the U.S. has ensured an adequate level of data protection. The EU itself can endorse a country’s compliance with data security. Some 4,410 U.S. companies doing business in the EU have long been familiar with the “safe harbor” under the Privacy Directive that permits U.S. companies to receive their EU employees’ data consistent with the directive. But this week the validity of the Safe Harbor was put into question when the High Court of Ireland, through an advisory opinion authored by Advocate General Yves Bot, opined that a national supervisory data authority can still trump an EU Commission determination that a third country, like the USA, meets the Safe Harbor requirements and thereby suspend data transfers to that country.
The case arose when Maximllian Schrems from Austria brought a complaint with the Irish Data Protection Commissioner. Schrems alleged that Facebook’s transfer of data that he provided to Facebook through his use of it to Facebook servers in the United States violated the Privacy Directive 95/46/EC. The Irish Commissioner rejected the complaint on grounds that the United States had ensured a valid level of data protection through the Safe Harbor regulations promulgated by the Federal Trade Commission and the International Trade Administration in 2000. Advocate General Bot disagreed in light of the 2013 Edward Snowden disclosures of National Security Agency surveillance of personal data, including that of EU citizens. Schrems had asserted that the data transfer of his Facebook information to the United States did not meet the Privacy Directive requirements because of the NSA’s access to EU citizen data.
As stated in the High Court’s opinion: “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” which is guaranteed in the EU’s Charter of Fundamental Human Rights. According to the Advocate General, the Safe Harbor does not appropriately guarantee the prevention of mass monitoring or general access to transferred data and no independent authority [except maybe Congress] has the ability to monitor breaches of personal privacy protections with respect to EU citizens. Accordingly, the Advocate General recommended that the EU Court of Justice should conclude that the that the Safe Harbor and United States law does not contain sufficient guarantees of data protection such that the data transfer complained of by Schrems was improper.
While the Advocate General’s decision is not binding on the EU Court of Justice, the implications of the opinion are far-reaching for U.S. companies doing business in the EU. In commenting on the opinion, Schrems stated that "The end of this privileged status [Safe Harbor] would not mean that personal data cannot be transferred between the EU and the US . . . Most transfers of personal data between the EU and the US, like communication, hotel bookings, bank transfers and almost all other forms of necessary data transfers, are always possible under a long list of exceptions in the current EU law." That may be, but what happens when a U.S. company keeps the data of its employees working in the EU because, well, it employs them? If the safe harbor is ruled dead by the EU Court of Justice, companies presently subject to safe harbor certification will have to find new legal bases to transfer data, such as “standard contractual clauses”, which are permitted under the EU Directive.
The EU Data Protection Supervisor has recommended revisions to the General Data Protection Regulation and industry experts expect the European Commission to adopt new rules by the end of 2015, including with regard to the Safe Harbor.
