The European Court of Justice opinion in the Facebook/Schrems case effectively invalidates Safe Harbor: some initial thoughts on the opinion

23 September 2015 (from Luxembourg)– In an opinion issued today (links at end of this post), the advocate general of the European Court of Justice (Yves Bot) has said the mass transfer of EU user data to the U.S. by companies such as Facebook contradicts EU data protection laws and represents a breach of the fundamental right to privacy. In a preliminary and non-binding assessment ahead of a full ruling, he also recommended that the court invalidate the existing “Safe Harbor” rules.

The opinion is not binding, but in 80% of these cases an opinion is reflected in the final judgment.  In the last three years there has only been one time has the Court has not followed the advocate general opinion.

Obviously the final verdict on this case (expected later this year, although the Court could delay until early next year) could have far-reaching consequences for EU-US diplomatic and trade relations. Never mind the ongoing talks on a transatlantic free-trade agreement. It is not just an issue of how the Irish Data Protection Commissioner supervises U.S. high-tech multinationals based in Ireland, including Facebook.

And as always in these cases inter-institutional politics and pressure certainly had their impact. The opinion was due this past June but reports I received said political pressure was quietly applied to delay the decision to allow the Commission time to complete an intensive series of negotiations. Those negotiations have clearly not addressed the issues raised in the Court opinion.  As a Commission representative told me today “so it looks like we might have a few more months to try and get it right”.  

This is a case I have followed for 3 years. Rather than recite all the facts, for a detailed background on all of the issues please see a previous post of mine (click here).

The Opinion is 48 pages long and complex.  I have given it several reads and I will produce a more thorough analysis but herein my initial comments:

1. If you want to learn the basic principles and history (as well as some of the intricate vernacular) of Safe Harbor just read the first few pages of the opinion which put into perspective transfers of personal data, the “important and necessary element of the transatlantic relationship”, adequacy of data protection, privacy principles, the EU data protection scheme and the European Charter.

2. Bot criticized the European Commission for permitting ongoing data transfer under existing “Safe Harbor” provisions, despite its concerns over the use of the data following revelations by whistleblower Edward Snowden. He wrote (paragraph 234 of the opinion):

“Although it was aware of shortcomings, the Commission neither suspended nor adapted that decision, thus entailing the continuation of the breach of the fundamental rights of the persons whose personal data was and continues to be transferred under the safe harbor scheme.”

He elaborates in the opinion how the Commission erred for not examining how the Safe Harbor provisions were implemented in practice, and for allowing data transfers to continue while it negotiated new data transfer rules with US authorities. The examination of the practice would reveal that the arrangements were not working correctly.  The Commission, by its own admission, acknowledged that the Safe Harbor agreement did not contain appropriate guarantees and should have suspended the functioning of Safe Harbor before starting negotiations.

3. More importantly, he found the Commission Safe Harbor decision “invalid” (paragraph 237):

“Commission Decision 2000/520/EC of 26 July 2000 [Safe Harbor] is [on the adequacy of the protection provided by the safe harbor privacy principles and related frequently questions] invalid”.

He detailed how by permitting EU citizen data to be fed into the U.S. mass surveillance systems contradicted both the standards of the EU’s own data protection directive, and the EU Charter of Fundamental Rights.

4. He also called for greater rights for national data protection commissioners to investigate complaints by EU citizens that their data protection and privacy rights are being breached.  There is an excellent analysis (from paragraph 74 onward) of the fact there is “no hierarchical connection” between Commission directives, the Charter and national authorities to suggest that the provisions on the national supervisory authorities are in any way subordinate to the separate provisions on data transfers.  Therefore the authorization of the transfer of personal data to a third country ensuring an adequate level of protection can be examined by the national data protection commissioners and they need not take the Commission’s word protection is “adequate”. The powers of the national supervisory authorities to investigate, with complete independence, complaints submitted to them must be interpreted broadly in accordance with the EU Charter. Those powers cannot be limited by the powers which the EU legislature has conferred on the Commission.

DigitalEurope, a trade group that represents companies such as Apple, Google, Microsoft, etc. said in a press release today:

“We are concerned about the potential disruption to international data flows if the court follows today’s opinion.  If the safe harbor system is gone, it is very likely that the data protection authorities in the 28 EU member states will not allow data transfers to U.S. companies that are subject to mass surveillance laws. This may have major commercial downsides for the U.S. tech industry.”

Obviously: it would be anathema if they need to deal with 28 separate data protection commissioners.

For e-discovery practitioners, the effect is obvious.  But many company representatives here in Luxembourg said the Safe Harbor scheme helped them get round cumbersome checks to transfer vital data, including payroll and human resources information, between offices on both sides of the Atlantic.