Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Sept. 23 — The European Union's top court should find that the U.S.-EU Safe Harbor Program, which is relied on by more than 4,000 U.S. companies to transfer personal data from the EU, cannot adequately protect the personal data of EU citizens and is therefore invalid, European Court of Justice Advocate General Yves Bot recommended Sept. 23 in a non-binding advisory opinion.
In particular, EU citizens whose data is transferred to the U.S. may find that their privacy rights are violated because of “mass, indiscriminate surveillance” carried out by U.S. security agencies, and because they lack “effective judicial protection,” the ECJ said in a summary of the advocate general's opinion.
However, privacy attorneys told Bloomberg BNA Sept. 23 that the advocate general's opinion misunderstood privacy enforcement in the U.S. and didn't take into account recent changes that reinforce data protection rights.
Brian Hengesbaugh, a partner with Baker & McKenzie LLP in Chicago, who was previously the U.S. Department of Commerce General Counsel's Office lead attorney on the U.S.-EU Safe Harbor Program, said that the advocate general's opinion was “based on old law” and didn't consider recent “revisions and tightening on U.S. policy on surveillance.”
It was “so surprising” that a “high court draft opinion would misunderstand the legal context,” Hengesbaugh said.
Cédric Burton, of counsel with Wilson Sonsini Goodrich & Rosati in Brussels, said the advocate general's opinion took “a rather strict stand” and didn't sufficiently appreciate differences between the EU and the U.S. in the way privacy is protected, including greater use of self-certification by companies in the U.S.
The advocate general's call to invalidate Safe Harbor is “highly problematic for global companies,” Burton said.
Revelations in 2013 by Edward Snowden, a former employee of a U.S. contractor, about the scope of U.S. National Security Agency surveillance called into question for some in the EU the European Commission's 2000 ruling that the U.S.-EU Safe Harbor Program, which allows companies to transfer personal data outside the European Economic Area if they self-certify their compliance with privacy principles similar to those found in the EU Data Protection Directive (95/46/EC), provides adequate privacy protection for personal data.
In the present case, the Irish High Court in June 2014 asked the ECJ to weigh in on whether Ireland's Office of the Data Protection Commissioner is obligated to investigate allegations by Austrian law student Max Schrems that Facebook Inc.'s Irish operations unlawfully handed over personal data to U.S. government officials.
On the question posed by Ireland's High Court, the advocate general said that national data protection authorities could step in when the privacy rights of their citizens are at risk, even in cases in which EU-level adequacy findings are in place.
The advocate general said that the independence of DPAs would be compromised if they were “absolutely bound by decisions adopted by the commission,” and DPAs could suspend any data transfer in order to safeguard rights “irrespective of the general assessment made by the commission.”
In a Sept. 23 statement, Schrems said it was “great to see that the advocate general has used this case to deliver a broad statement on data transfers to third countries and mass surveillance.”
The advocate general went beyond the question of the role of DPAs in investigating transfers made under Safe Harbor to question the basis of the arrangement.
In the light of Snowden's revelations, the European Commission, the EU's executive arm, initiated in November 2013 a renegotiation of the U.S.-EU Safe Harbor Program with U.S. authorities.
In June, the commission said that talks on Safe Harbor were being held up by a disagreement on the extent to which U.S. law enforcement and security agencies could access data transferred by companies on national security grounds.
The advocate general's opinion said that the commission had conceded that under Safe Harbor “there is no guarantee that the right of citizens of the Union to protection of their data will be ensured,” but had decided that this didn't render Safe Harbor invalid. “I do not share that view,” and the commission “ought to have suspended” Safe Harbor in order to protect EU citizens' privacy rights, the advocate general said.
The advocate general added that U.S. mass electronic surveillance of personal data violated the privacy principle of proportionality of the amount of data collected in relation to a legitimate need for the collection, and that there was no independent agency in the U.S. able to monitor breaches of privacy rights by national security agencies.
The opinion said that in assessing the adequacy of data protection in a third country, the commission should consider, as well as that country's legal framework, “the manner in which the protection of personal data is guaranteed in practice,” and in case of shortcomings should suspend or adapt any adequacy decision “without delay.”
The advocate general's opinion said that the U.S.-EU Safe Harbor Program is also flawed because there are no right for EU citizens “to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programs.”
Hengesbaugh said that this right was “anticipated to be added” under the EU-U.S. umbrella agreement on data transfers for law enforcement purposes. This agreement, which sets out a set of minimum rights, has been agreed in principle but awaits implementation of legislation in the U.S. to allow EU citizens to file Privacy Act lawsuits in the U.S. over allegations of government misuse of data.
In commercial contexts, Safe Harbor already “allows data subjects to petition to the Federal Trade Commission for redress,” Hengesbaugh said. The FTC is charged with enforcing the U.S.-EU Safe Harbor Program in the U.S.
Burton said that U.S.-EU talks on reinforcing the Safe Harbor Program would “hopefully be enough” to convince the ECJ to reject the advocate general's opinion and issue a “more nuanced” judgment that would allow the program to continue.
A commission official told Bloomberg BNA Sept. 23 that conclusion of the U.S.-EU negotiations to upgrade Safe Harbor was “very close.”
Jörg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA that the advocate general's opinion might influence the ongoing U.S.-EU Safe Harbor Program negotiation.
The advocate general here focused on the commission's Safe Harbor decision, but the opinion raises the “interesting question of the implications for other data transfer mechanisms,” such as binding corporate rules or EU standard contractual clauses, Hladjk said.
If the advocate general considers the data privacy regime in the U.S. inadequate, “that issue will be the same when you look at other data transfer mechanisms,” he said.
In most cases ECJ judgments back up the advocate general's opinion, but “there have been cases in which the ECJ did not follow the opinion,” Hladjk said.
In April 2014, the ECJ rejected an advocate general's recommended opinion and invalidated the EU Data Retention Directive (2006/24/EC).
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor on this story: Donald G. Aplin at email@example.com
Full text of the advocate general's opinion, as posted on the ECJ's public InfoCuria website, is available at http://op.bna.com/pl.nsf/r?Open=dapn-a2mhym.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)