Is it still safe to rely on Safe Harbor?
Recent developments in a case involving Facebook have cast further doubt on the future of ‘Safe Harbor’, which is a widely used framework to enable the transfer of personal data from the EU to the US in accordance with data protection law.
An opinion by Advocate General Bot in the case of Schrems v Data Protection Commissioner (C-362/14) has concluded that the European Commission’s finding of adequacy for Safe Harbor is no longer valid because it does not ensure adequate protection for EU citizens, and that national data protection authorities have the right to consider complaints relating to Safe Harbor transfers. This is the latest is a series of challenges to Safe Harbor since revelations by whistle-blower Edward Snowden of widespread data collection by US security agencies. However, the case has not yet been decided by the court, and although the Advocate General’s opinion is likely to be influential, it is by no means certain that the court will take the same approach in its final judgment.
The case arose from a complaint by Mr Schrems, an Austrian Facebook user, to the Irish Data Protection Commissioner. Mr Schrems alleged that the transfer of his personal data from Facebook Ireland to Facebook’s US parent, made under Safe Harbor, breached his data protection rights. The Irish DP Commissioner refused to investigate, on the grounds that under Irish law he was bound to follow the European Commission’s previous decision that Safe Harbor provides an adequate level of protection for EU citizens (Decision 2000/520/EC). Mr Schrems applied for judicial review and the Irish High Court made a reference to the CJEU, asking whether the Irish DP Commissioner was bound to follow the Commission’s decision or whether he could investigate the complaint.
The Advocate General’s opinion is that the Commission’s adequacy decision does not prevent national data protection authorities from investigating complaints about the transfer of data under the Safe Harbor regime. However, the opinion goes much further in concluding that the original Commission decision is invalid, because in the light of the Snowden revelations it no longer provides adequate protection for EU data subjects. If the court were to reach the same conclusions as the Advocate General, it would have major implications for businesses currently relying on Safe Harbor to ensure compliance with EU data protection legislation.