The Max Schrems case concerns the Irish Data Protection Commissioner’s decision not to investigate a complaint made by Schrems regarding the storage by Facebook of its EU subscribers’ data on servers in the U.S. More broadly, the case questions the adequacy of the U.S.-EU Safe Harbor scheme. In his 23 September 2015 opinion, the Advocate General determined that national data protection authorities are not prevented from investigating and reaching an independent decision from the European Commission decision underlying Safe Harbor. As such, the Irish Data Protection Commissioner had no legitimate basis to refuse to investigate the complaint made by Max Schrems.
The Advocate General went on to advise that Safe Harbor does not satisfy the requirements of either the EU Charter of Fundamental Rights or the EU Data Protection Directive because “the access enjoyed by the United States intelligence services is mass, indiscriminate surveillance.”
The Advocate General considered that the finding of adequacy by the European Commission in connection with Safe Harbor should be declared invalid since the existence of a derogation (which allows the principles of the Safe Harbor scheme to be disregarded for national security reasons) prevents Safe Harbor from ensuring an adequate level of protection for the personal data which is transferred from the EU to the U.S. In addition, in the view of the Advocate General, there is no U.S. independent authority capable of verifying that the implementation of the derogations from Safe Harbor by, for example, U.S. security agencies is necessary because neither the FTC nor any private dispute resolution body has the power to monitor such possible breaches.
While the EU’s assessment of the Safe Harbor has unquestionably become enmeshed with concerns over U.S. intelligence surveillance, there is not necessarily a logical or empirical connection between corporate data transfers under the Safe Harbor, and U.S. government data collection efforts—any more than there would be with regard to Standard Contractual Clauses or Binding Corporate Rules. The Advocate General opinion paints U.S. intelligence collection with a very broad brush that appear to blend together the contents of press reports from the Snowden leaks with information on the recently-ended U.S. domestic bulk metadata collection program along with collection of Internet communications of non-U.S. citizens. Given the broad authorities for European intelligence collection with no oversight by data protection authorities, it is difficult to understand why the derogation for national security reasons in the Safe Harbor agreement is less protective of the rights of EU citizens than the equivalent derogation in the 1995 Privacy Directive. It should also be noted that common carriers in the U.S.—such as the leading telecommunications companies—are not eligible for and do not participate in the Safe Harbor.
Given that the opinion is not legally binding and will now need to be decided by the 15 judges of the ECJ, a key question to ask is to what extent the “defects” in the Safe Harbor scheme identified by the Advocate General can be addressed in ongoing discussions between the U.S. government and the European Commission. The Advocate General took note of these negotiations “to put an end to the shortcomings found.” The Commission and the U.S. Department of Commerce have been close to an agreement, which includes measures to acknowledge boundaries on U.S. government access to data on EU citizens, and the U.S. Congress is considering the Judicial Redress Act to extend rights under the Privacy Act to certain foreign citizens. The approval of a new Safe Harbor agreement and passage of this legislation could address concerns raised in the Advocate General opinion.
Nonetheless, this recommendation, if upheld by the European Court of Justice, would have a significant impact on many businesses currently relying on Safe Harbor to legitimize transfers of personal data from the EU to the U.S. Such businesses may wish to reconsider their choice of international data transfer solutions and whether to adopt alternative solutions, such as Binding Corporate Rules or EU standard contractual clauses.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
William RM Long
Privacy, Data Security & Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.