An Unsafe Harbor? What Companies Need to do in Light of the Advocate General's Opinion in Schrems v. Data Protection Commissioner

Cooley Alert
September 28, 2015


For companies relying on Safe Harbor to legitimise transfers of data from the EU to the US, the recent opinion of the Advocate General ("AG") in the European Court of Justice ("ECJ") case of Schrems v. Data Protection Commissioner (Case C-362/14) is worrying. The issue in the Schrems case is whether national EU data protection authorities are permitted to suspend transfers to the US based on the Safe Harbor framework, on the grounds that that framework does not guarantee the adequate protection of personal data transferred from the EU to the US.

The AG's opinion

The AG stated that Safe Harbor is invalid because it fails to offer sufficient protections to EU personal data and that EU data protection authorities can investigate complaints about Safe Harbor and suspend data transfers to the US which rely on Safe Harbor, if those transfers breach EU data protection law.

Implications of the AG's opinion

The AG's opinion is a recommendation to the ECJ only and that court is not obligated to accept it when making its ruling, which is expected by the end of this year. However, in most cases the ECJ does follow the AG's recommendation. If that happens here the European Commission will need to quickly agree and approve a revised version of Safe Harbor.

Separately, negotiations with the US Department of Commerce to improve Safe Harbor began approximately two years ago. Although many points have been agreed, as evidenced in the EU-US "Umbrella Agreement" on law enforcement co-operation earlier this month, one outstanding issue is the right of EU citizens to bring claims in US courts against the US government for privacy violations, which may require a change in US law. The fact that the ECJ's decision is expected by the end of this year, giving only a short window to agree these final issues, may focus minds and galvanise the parties to reach agreement.

What companies should be doing now

More than 4,000 companies rely on the Safe Harbor framework to legitimise their data transfers and so clarification on the continued use of the framework is urgently needed. Although such companies should keep a close eye on these EU developments, it is probably a little premature to take steps to adopt an alternative transfer mechanism, such as model clauses, now. Even if the ECJ follows the AG's opinion, enforcement action for those who previously relied on Safe Harbor would not be expected to follow immediately, so companies should have time to switch to an alternative means of legitimising their data transfers to the US at that stage. However, companies may want to review their current data flows to ensure that they are up-to-date on exactly which data are being transferred to the US and that they can then act quickly to legitimise those transfers by another means, if necessary.

Cooley's London Privacy & Data Protection team is led by partners Ann Bevitt, Chris Coulter, Mark Deem and Sarah Pearce. They offer multi-disciplinary depth and breadth of experience to clients in data protection, privacy by design, data breach management, incident response, breach preparedness, and related litigation, especially in large breaches and those with multi-national issues.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.