For companies relying on Safe Harbor to legitimise transfers of data from the EU to the US, the recent opinion of the Advocate General ("AG") in the European Court of Justice ("ECJ") case of Schrems v. Data Protection Commissioner (Case C-362/14) is worrying. The issue in the Schrems case is whether national EU data protection authorities are permitted to suspend transfers to the US based on the Safe Harbor framework, on the grounds that that framework does not guarantee the adequate protection of personal data transferred from the EU to the US.
The AG's opinion
The AG stated that Safe Harbor is invalid because it fails to offer sufficient protections to EU personal data and that EU data protection authorities can investigate complaints about Safe Harbor and suspend data transfers to the US which rely on Safe Harbor, if those transfers breach EU data protection law.
Implications of the AG's opinion
The AG's opinion is a recommendation to the ECJ only and that court is not obligated to accept it when making its ruling, which is expected by the end of this year. However, in most cases the ECJ does follow the AG's recommendation. If that happens here the European Commission will need to quickly agree and approve a revised version of Safe Harbor.
Separately, negotiations with the US Department of Commerce to improve Safe Harbor began approximately two years ago. Although many points have been agreed, as evidenced in the EU-US "Umbrella Agreement" on law enforcement co-operation earlier this month, one outstanding issue is the right of EU citizens to bring claims in US courts against the US government for privacy violations, which may require a change in US law. The fact that the ECJ's decision is expected by the end of this year, giving only a short window to agree these final issues, may focus minds and galvanise the parties to reach agreement.
What companies should be doing now
More than 4,000 companies rely on the Safe Harbor framework to legitimise their data transfers and so clarification on the continued use of the framework is urgently needed. Although such companies should keep a close eye on these EU developments, it is probably a little premature to take steps to adopt an alternative transfer mechanism, such as model clauses, now. Even if the ECJ follows the AG's opinion, enforcement action for those who previously relied on Safe Harbor would not be expected to follow immediately, so companies should have time to switch to an alternative means of legitimising their data transfers to the US at that stage. However, companies may want to review their current data flows to ensure that they are up-to-date on exactly which data are being transferred to the US and that they can then act quickly to legitimise those transfers by another means, if necessary.
Cooley's London Privacy & Data Protection team is led by partners Ann Bevitt, Chris Coulter, Mark Deem and Sarah Pearce. They offer multi-disciplinary depth and breadth of experience to clients in data protection, privacy by design, data breach management, incident response, breach preparedness, and related litigation, especially in large breaches and those with multi-national issues.