Data transfers can be suspended until investigation is complete.
In Maximillian Schrems v. Data Protection Commissioner (case C-362/14), the Advocate General ruled that EU data protection authorities do have powers to investigate complaints about the transfer of personal data to the United States by Safe Harbor-certified organisations and can, where justified, suspend data transfers until their investigations are complete.
According to the European Commission, the United States is a country of “inadequate” data protection. The European Commission and the US Department of Commerce, therefore, agreed in the year 2000 to a self-certification programme for US organisations to receive personal data sent from Europe. The self-certification programme provided that US organisations must certify that they adhered to standards of data processing that are comparable with EU data protection laws such that EU citizens’ personal data was treated as adequately as if their data had remained within Europe. This Safe Harbor programme is operated by the US Department of Commerce and enforced by the Federal Trade Commission. Over 4,000 organisations have current self-certifications of adherence to Safe Harbor principles (see Safe Harbor List).
In the course of Irish litigation, a question was referred to the ECJ for a ruling on whether EU Data Protection Authorities can investigate data transfers to organisations with Safe Harbor certification. Yves Bot, Advocate General at the European Court of Justice (ECJ), said in his opinion released on 23 September 2015 that the Safe Harbor programme does not currently do enough to protect EU citizens’ private data because personal data had been obtained by US authorities in the course of “mass and indiscriminate surveillance and interception of such data” from Safe Harbor-certified organisations. The Irish Data Protection Commissioner, therefore, had the power to investigate complaints about Safe Harbor-certified organisations and, if there are “exceptional circumstances in which the suspension of specific data flows should be justified”, to suspend the data transfers pending the outcome of its investigation.
While the Advocate General’s opinions are not binding, they are often followed by the ECJ. The decision of the ECJ is expected soon.
In 2013, following much discussion in the EU about the Safe Harbor programme after Edward Snowden’s revelations about the NSA’s PRISM programme, thirteen recommendations were made to improve the Safe Harbor programme.
The key recommendations are as follows:
A final decision on whether these recommendations will be implemented is still awaited from the EU.
Notwithstanding the debate over the last two years, many organisations still view the Safe Harbor programme as an appropriate standard in data protection for non-European businesses and consider the Safe Harbor-certification as being a mark of trust in their data protection processes. Organisations that transfer personal data from Europe to the United States using the Safe Harbor programme may be concerned about the potential disruption to international data flows if the ECJ follows the Advocate General’s opinion and the organisation is subsequently investigated by a European data protection authority. One important issue that the ECJ must address is whether the European Commission and/or EU Data Protection Authorities are authorised to “suspend” Safe Harbor-certified data transfers. The European Commission is considering the above-mentioned recommendations to improve data protection measures under Safe Harbor. The ECJ should, therefore, be mindful not to create a patchwork of some (perhaps stricter) EU Data Protection Authorities suspending data transfers by certain organisations, while other Data Protection Authorities have no such objections about these same organisations. Under the proposed new General Data Protection Regulation, there will be a consistency mechanism that is designed to avoid such a situation.
It is also worth noting that nothing about this decision invalidates Safe Harbor as a mechanism to transfer data. It merely provides that a data protection authority investigating a specific organisation could, upon finding “exceptional circumstances”,suspend that organisation’s ability to transfer data under Safe Harbor pending investigation. If organisations remain in full compliance with their Safe Harbor obligations, they should have no reason to fear suspension of data flows.
Before blocking the data flows or “suspending” Safe Harbor, the European Commission and the Data Protection Authorities should bear in mind that the US Government has made strides to block illegal data collections by law enforcement authorities (e.g., by the USA Freedom Act of 2015 or the Presidential Policy Directive 28). The Federal Trade Commission has also imposed penalties on various companies that were deemed not Safe Harbor-complaint by way of consent decrees.
For organisations with concerns that their Safe Harbor certification may be undermined by this ruling, there are other options to transfer personal data to the United States, including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements.
Morgan Lewis is a leader in advising clients on privacy and cybersecurity issues. If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Dr. Axel Spies
Gregory T. Parks
W. Reece Hirsch
Mark L. Krotoski