The September 23, 2015 opinion from the European Commission (“EC”) Advocat General concerning the U.S. – EU Safe Harbor program, has led some in the media to predict that “European operations of Facebook and Google could be stopped in their tracks.” This is not likely to happen. The EU Safe Harbor Program permits personal data transfers from the EU to the U.S. if the recipient company agrees to abide by certain EU data protection principles.The opinion concededly has significant potential to lead to changes in how personal data is transferred from European Union member states to the U.S., if the European Court of Justice agrees with the Advocat General. Certain EU Member State Data Protection Authorities (DPA) may suspend data transfers from that country to the U.S. under the Safe Harbor Program, but alternative means to transfer personal data do exist.
The litigation that resulted in this opinion was brought by Maximillian Schrems, an Austrian student with a Facebook account. Shrems’ Facebook account data was stored with Facebook USA, under the Safe Harbor program. Schrems contended that Safe Harbor does not provide an appropriate level of protection, contrary to a European Commission (E.C.) opinion issued in 2000 approving Safe Harbor transfers, because the disclosures of Edward Snowden have shown that the US. National Security Agency has unrestricted access to personal data in the U.S., including that of EU citizens.
The lengthy opinion, distilled to its essence, argues that the Member State DPAs should have the right to investigate Safe Harbor and to suspend transfers from that country if the DPA finds that Safe Harbor does not provide an appropriate level of protection for its citizens. Because the 2000 opinion does not give Member States the right to suspend transfers, the Advocat General opined, the 2000 E.C. opinion has been rendered invalid by N.S.A. surveillance that, in effect, removes the protections for EU citizens’ data in the Safe Harbor program.
Is this the end of the Safe Harbor Program? Not necessarily. The opinion was rendered by the Advocat General, not the European Court of Justice. It’s an advisory opinion submitted to the court, and is non-binding. The court usually goes along with the advice of the Advocat General, but not always, and is expected to rule in about a month or so. The State Department and the E.C. have been in negotiations about revisions to Safe Harbor, and the court may decline to rule pending the outcome of those negotiations.
If the court agrees with the Advocat General, the result will be that certain individual countries (but likely not all) may decide that they will suspend data transfers under Safe Harbor. If this occurs, contracts called data transfer agreements, using EU-approved Model Contract clauses on data protection can be implemented and cross-border data transfers will not grind to a halt, as many in media have suggested.
If you have questions about the Safe Harbor program or alternative means of EU-U.S. data transfers, please call Kenneth N. Rashbaum.