Irish Referral of U.S.-EU Safe Harbor to ECJ May Raise Issues on All Adequacy Regimes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

June 20 — The recent High Court of Ireland decision to refer a case to the European Court of Justice questioning the adequacy of privacy protections for data transfers under the U.S.-European Union Safe Harbor Program may sweep in questions about the viability of all adequacy regimes that govern the transfer of data to non-EU jurisdictions, particularly the U.S., legal analysts and lawmakers told Bloomberg BNA.

The ECJ might even reach a decision that calls into question alternative methods of lawfully transferring personal data out of the EU, such as binding corporate rules and standard contractual clauses, some analysts said.

Validity of Safe Harbor at Issue

The Irish High Court June 18 ruled that the ECJ, the EU's top court, should decide whether Ireland's data protection authority is obligated to investigate allegations that Facebook Inc.'s Irish operations unlawfully handed over personal data to U.S. government officials.

In order for personal data to be transferred out of the EU in compliance with the EU Data Protection Directive (95/46/EC), the receiving country must have a legal regime that “adequately” protects privacy.

The European Commission, the EU's executive arm, has determined that the U.S. doesn't meet the EU's adequacy standard.

But in 2000, the European Commission ruled that the U.S.-EU Safe Harbor Program, which allows companies to transfer personal data outside the European Economic Area if they self-certify their compliance with privacy principles similar to those found in the Data Protection Directive, provides adequate privacy protection for personal data.

The Irish High Court directly challenged whether the program still provides adequate privacy protection given revelations about the scope of U.S. National Security Agency surveillance efforts.

German Doubts on Safe Harbor

Paul Voigt, a senior associate with Taylor Wessing LLP in Hamburg, told Bloomberg BNA June 19 that the referral of the case to the ECJ comes on the back of increasing doubts about the credibility of the U.S.-EU Safe Harbor Program to ensure the protection of data of European citizens.

In Germany—the EU member state with the largest population and hence the largest number of data subjects covered by the requirements of the Data Protection Directive—“Safe Harbor has never been liked by the data protection authorities,” Voigt said.

The DPAs—Germany has a federal privacy regulator as well as independent DPAs for each of the country's 13 states—“accept Safe Harbor but, if at all possible, usually suggest using” standard contractual clauses as an alternative means of lawfully transferring data, he said.

“Safe Harbor is under quite a big attack, especially since” the disclosures by Edward Snowden, Voigt said. However, the credibility of Safe Harbor was also being questioned before the Snowden leaks because “as the European Commission has acknowledged, many of the companies that use Safe Harbor do not really stick to it,” he said.

“There is quite a lot of pressure on Safe Harbor and the pressure gets harder with the decision of the High Court in Ireland,” he said.

Questions About Other Adequacy Regimes

Steve Peers, a professor of EU and human rights law at the Essex University School of Law in Colchester, England, told Bloomberg BNA June 20 that the Irish court's referral to the ECJ “creates a flagship case.”

Questions “could be posed with regard to other options for data transfers,” and if the U.S.-EU Safe Harbor Program is found to be unlawful by the European Court of Justice, mechanisms for data transfer such as binding corporate rules and standard clauses could also be invalidated.

Paul Voigt, Senior Associate, Taylor Wessing LLP, Hamburg

The ECJ could answer the Irish High Court's question about the European Commission's Safe Harbor decision in a narrow, technical way, or it could examine the broader issue of adequacy regimes for data transfers to non-EU jurisdictions in the context of EU privacy rights, Peers said.

“Logically, any U.S. company that is subject to those NSA orders could be challenged in the same way,” he said.

In addition, a broader ECJ examination of adequacy regimes in connection with EU privacy protections “raises the possibility of other adequacy decisions being challenged on other grounds—it might not have anything to do with spying,” Peers said.

“One way or another” the Irish High Court's referral “brings matter to a head,” he added.

In addition to the U.S.-EU Safe Harbor Program, the European Commission has formally recognized as adequate Andorra, Argentina, Australia, Canada's commercial organizations code, Switzerland, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand and Uruguay.

The commission is in the process of considering whether Quebec's privacy laws provide adequate privacy protection.

BCRS, Contractual Clauses at Risk?

Voigt agreed that questions “could be posed with regard to other options for data transfers,” and if Safe Harbor is found to be unlawful, mechanisms for data transfer such as binding corporate rules and standard clauses could also be invalidated, Voigt said.

Potentially, “it will get more challenging for all data transfers,” he added.

In such a case, “there will probably be some kind of solution on a political level” because data transfers are “vital” and “you just cannot forbid these data transfers,” Voigt said.

Tanguy Van Overstraeten, global head of the privacy and data protection practice at Linklaters LLP in Brussels, told Bloomberg BNA June 19 that “it seems clear that multinationals transferring data to non-EU countries are now due to become increasingly cautious in the selection of the mechanism they want to use to enable such transfer in compliance with EU rules.”

Impact of Proposed Data Protection Regulation

Van Overstraeten noted that the European Parliament has introduced language into the draft EU data protection regulation that would introduce sunset clauses and a requirement to review all current mechanisms that allow data transfers to the U.S.

In January 2012, the European Commission proposed the data protection regulation to replace the Data Protection Directive. The European Parliament adopted its position on the draft regulation in March.

Because of the European Parliament's proposals, “most of the current data transfer solutions are somewhat under threat, even the binding corporate rules, although they are clearly seen as a gold standard for transfer within a multinational group of companies,” Van Overstraeten said.

Peers said that the EU Council, which represents the governments of EU member states and which must finalize the data protection regulation with the European Parliament, “doesn't want to have a sunset clause, so that is something they would have to negotiate.”

However, European Parliament lawmakers are likely to want to stand firm on the inclusion of sunset clauses because of concerns about NSA surveillance, and it would be “a difficult point” in the final negotiation of the regulation, Peers added.

Commission Expects ‘Landmark’ Case

U.S. and EU negotiators have been working to strengthen the Safe Harbor Program.

European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding'sspokeswoman Mina Andreeva told Bloomberg BNA June 19 that “there is no indication that the Irish decision would have a direct impact on the European Commission's Safe Harbor talks with the U.S.”

The Irish case concerns the wider questions of “what margin of appreciation is left to national data protection authorities when they have to decide on a complaint about an adequacy decision such as Safe Harbor,” and “to what extent are they bound by the Commission's finding of adequacy,” Andreeva said.

The referral of the case to the ECJ “underlines once again the growing importance that judges attribute to European data protection legislation,” Andreeva said. The case is “another potential landmark case, following the European Court of Justice's ruling on the data retention directive and the right to be forgotten,” she added.

Jan Philipp Albrecht, a German Green member of the European Parliament who was responsible for preparing the Parliament's position on the draft data protection regulation, told Bloomberg BNA June 10 before the Irish High Court ruling that there has been a major misunderstanding about the U.S.-EU Safe Harbor Program.

“In the EU, people think they are protected by Safe Harbor, and in the U.S. it is seen as a blank check,” he said.

U.S. companies “obviously believed they just need to sign the Safe Harbor decision and they were out of the EU jurisdiction,” Albrecht said.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law Privacy and Data Security