EU Court Adviser: U.S. Data Move Safe Harbor Invalid

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Sept. 23 — The European Union's top court should find that the U.S.-EU Safe Harbor Program, which is relied on by more than 4,000 U.S. companies to transfer personal data from the EU, cannot adequately protect the personal data of EU citizens and is therefore invalid, European Court of Justice Advocate General Yves Bot recommended Sept. 23 in a non-binding advisory opinion.

In particular, EU citizens whose data is transferred to the U.S. may find that their privacy rights are violated because of “mass, indiscriminate surveillance” carried out by U.S. security agencies, and because they lack “effective judicial protection,” the ECJ said in a summary of the advocate general's opinion.

However, privacy attorneys told Bloomberg BNA Sept. 23 that the advocate general's opinion misunderstood privacy enforcement in the U.S. and didn't take into account recent changes that reinforce data protection rights.

Brian Hengesbaugh, a partner with Baker & McKenzie LLP in Chicago, who was previously the U.S. Department of Commerce General Counsel's Office lead attorney on the U.S.-EU Safe Harbor Program, said that the advocate general's opinion was “based on old law” and didn't consider recent “revisions and tightening on U.S. policy on surveillance.”

It was “so surprising” that a “high court draft opinion would misunderstand the legal context,” Hengesbaugh said.

Cédric Burton, of counsel with Wilson Sonsini Goodrich & Rosati in Brussels, said the advocate general's opinion took “a rather strict stand” and didn't sufficiently appreciate differences between the EU and the U.S. in the way privacy is protected, including greater use of self-certification by companies in the U.S.

The advocate general's call to invalidate Safe Harbor is “highly problematic for global companies,” Burton said.

Facebook Data Transfers 

Revelations in 2013 by Edward Snowden, a former employee of a U.S. contractor, about the scope of U.S. National Security Agency surveillance called into question for some in the EU the European Commission's 2000 ruling that the U.S.-EU Safe Harbor Program, which allows companies to transfer personal data outside the European Economic Area if they self-certify their compliance with privacy principles similar to those found in the EU Data Protection Directive (95/46/EC), provides adequate privacy protection for personal data.

In the present case, the Irish High Court in June 2014 asked the ECJ to weigh in on whether Ireland's Office of the Data Protection Commissioner is obligated to investigate allegations by Austrian law student Max Schrems that Facebook Inc.'s Irish operations unlawfully handed over personal data to U.S. government officials. 

On the question posed by Ireland's High Court, the advocate general said that national data protection authorities could step in when the privacy rights of their citizens are at risk, even in cases in which EU-level adequacy findings are in place.

The advocate general said that the independence of DPAs would be compromised if they were “absolutely bound by decisions adopted by the commission,” and DPAs could suspend any data transfer in order to safeguard rights “irrespective of the general assessment made by the commission.”

In a Sept. 23 statement, Schrems said it was “great to see that the advocate general has used this case to deliver a broad statement on data transfers to third countries and mass surveillance.”

Safe Harbor Questioned 

The advocate general went beyond the question of the role of DPAs in investigating transfers made under Safe Harbor to question the basis of the arrangement.

In the light of Snowden's revelations, the European Commission, the EU's executive arm, initiated in November 2013 a renegotiation of the U.S.-EU Safe Harbor Program with U.S. authorities.

In June, the commission said that talks on Safe Harbor were being held up by a disagreement on the extent to which U.S. law enforcement and security agencies could access data transferred by companies on national security grounds.

The advocate general's opinion said that the commission had conceded that under Safe Harbor “there is no guarantee that the right of citizens of the Union to protection of their data will be ensured,” but had decided that this didn't render Safe Harbor invalid. “I do not share that view,” and the commission “ought to have suspended” Safe Harbor in order to protect EU citizens' privacy rights, the advocate general said.

The advocate general added that U.S. mass electronic surveillance of personal data violated the privacy principle of proportionality of the amount of data collected in relation to a legitimate need for the collection, and that there was no independent agency in the U.S. able to monitor breaches of privacy rights by national security agencies.

The opinion said that in assessing the adequacy of data protection in a third country, the commission should consider, as well as that country's legal framework, “the manner in which the protection of personal data is guaranteed in practice,” and in case of shortcomings should suspend or adapt any adequacy decision “without delay.”

Redress Rights 

The advocate general's opinion said that the U.S.-EU Safe Harbor Program is also flawed because there are no right for EU citizens “to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programs.”

Hengesbaugh said that this right was “anticipated to be added” under the EU-U.S. umbrella agreement on data transfers for law enforcement purposes. This agreement, which sets out a set of minimum rights, has been agreed in principle but awaits implementation of legislation in the U.S. to allow EU citizens to file Privacy Act lawsuits in the U.S. over allegations of government misuse of data.

In commercial contexts, Safe Harbor already “allows data subjects to petition to the Federal Trade Commission for redress,” Hengesbaugh said. The FTC is charged with enforcing the U.S.-EU Safe Harbor Program in the U.S.

Burton said that U.S.-EU talks on reinforcing the Safe Harbor Program would “hopefully be enough” to convince the ECJ to reject the advocate general's opinion and issue a “more nuanced” judgment that would allow the program to continue.

A commission official told Bloomberg BNA Sept. 23 that conclusion of the U.S.-EU negotiations to upgrade Safe Harbor was “very close.”

Jörg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA that the advocate general's opinion might influence the ongoing U.S.-EU Safe Harbor Program negotiation.

Implications for Other Transfer Mechanisms 

The advocate general here focused on the commission's Safe Harbor decision, but the opinion raises the “interesting question of the implications for other data transfer mechanisms,” such as binding corporate rules or EU standard contractual clauses, Hladjk said.

If the advocate general considers the data privacy regime in the U.S. inadequate, “that issue will be the same when you look at other data transfer mechanisms,” he said.

In most cases ECJ judgments back up the advocate general's opinion, but “there have been cases in which the ECJ did not follow the opinion,” Hladjk said.

In April 2014, the ECJ rejected an advocate general's recommended opinion and invalidated the EU Data Retention Directive (2006/24/EC).

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor on this story: Donald G. Aplin at

Full text of the advocate general's opinion, as posted on the ECJ's public InfoCuria website, is available at


Request Bloomberg Law Privacy and Data Security