In-Depth: European Union High Court Advisor Recommends Suspension of Safe Harbor

An advocate general to Europe's highest court, the European Court of Justice (ECJ), recommended September 23 that the U.S.-EU Safe Harbor (Safe Harbor) be suspended due to the ongoing dispute regarding the U.S. National Security Agency mass data collection program. Advocate general opinions are advisory and do not bind the court, but they are frequently followed. No immediate or emergency action has been taken to suspend Safe Harbor in the interim nor is it expected without the full court's consideration. The Safe Harbor saga remains incomplete in part because the European Commission and U.S. Department of Commerce are in their final days of renegotiating the original 2000 agreement. Some court watchers say an ECJ decision could come as early as next month, though it is expected closer to the end of the year. The court is fully aware that the U.S. and EU are renegotiating Safe Harbor and that the proposed EU data protection regulation could force the changes the ECJ may seek in Safe Harbor, but the court will not wait indefinitely for the conclusion of either before making their own determination.

A renegotiated Safe Harbor agreement could render the September 23 opinion of the ECJ advocate general moot. However, if the court rules on the case before the Safe Harbor renegotiations are finalized, the court could invalidate Safe Harbor and the timeline for invalidation could be quick or immediate. The electronic world in Europe and the lives of Europeans would be dramatically affected if Safe Harbor-certified companies like Apple, Microsoft, and Google suddenly had to cease data flows in light of a suspended Safe Harbor.

Both the Safe Harbor renegotiation and the ECJ case have drilled down on the issue of U.S. national security agency access to European data. Meanwhile, the business operations and data flows of over 4,400 Safe Harbor certified companies hang in the balance as Europe battles the U.S. government over its surveillance practices.

Case Background

Maximillian Schrems v. Data Protection Commissioner, the case that questioned Safe Harbor's adequacy, originally came about after an Austrian Facebook user lodged a complaint with the Irish data protection authority (DPA) after the 2013 U.S. National Security Agency (NSA) mass data collection revelations. The Facebook user alleged that the United States' Safe Harbor agreement did not offer "adequate" data protection because it "allowed" mass U.S. government surveillance. The Irish DPA rejected the complaint in part because they deferred to the European Commission's "adequacy" finding bestowed upon Safe Harbor.

Today's Opinion

The ECJ advocate general's nonbinding opinion ruled: (1) that Safe Harbor is invalid, because it does not place proportionality limits on the U.S. government's access to data, and (2) member state DPAs have the power to suspend transfers despite "adequacy" findings.

The first point is based on the advisor's opinion that "the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection." The advisor alleges that the national security data collection is not proportional to national security needs, and violates the right to respect for private life and the right to protection of personal data, guaranteed by the EU Charter.

U.S. companies must now wait for the U.S. Congress to pass the Judicial Redress Act, which would grant EU citizens judicial protection and allow the U.S. and EU to implement the "umbrella agreement" regarding law enforcement cooperation and privacy protection, to which both sides agreed on September 8. Companies must also wait to see whether any "proportionality" measures are added to the law enforcement exception found in Safe Harbor when the program is updated by the U.S. Department of Commerce.

The second point in the advocate general's opinion is a departure from the current understanding of the 1995 EU data protection directive, which binds all member states to the "adequacy" determinations made by the European Commission. The ECJ advisor envisions member state DPAs having the right to challenge adequacy findings, as if the right to make adequacy determinations is "shared between the Member States and the Commission."

What it Means for U.S. Companies

The nonbinding opinion released September 23 is not based on actual or perceived shortcomings of U.S. companies or their compliance with Safe Harbor. Rather the opinion is based on the U.S. government's surveillance actions. That distinction is an important one as companies consider what to do.

If in the worst case scenario Safe Harbor is suspended, there are other EU-approved options for data transfers to the U.S., including model contracts and binding corporate rules. The most common alternative to Safe Harbor is model contracts, though they are not as universally applicable as Safe Harbor. All eyes are back on the U.S. government, from whom a renegotiated Safe Harbor agreement is expected in the coming days. The renegotiated Safe Harbor is expected to address, among other things, the national security access issues that have caused concern.

Remaining Trouble

Even if Safe Harbor is renegotiated, the advocate general's opinion—if adopted—with regard to the authority of national DPAs to interfere with European Commission's "adequacy" determinations will create uncertainty over all "adequacy" findings. "Adequacy" determinations were intended to be EU-wide determinations. Without EU-wide "adequacy" determinations, individual DPAs would be able to suspend data flows even under the renegotiated Safe Harbor by overriding any EU-wide "adequacy" finding. This would effectively give each EU member state veto power over an adequacy finding resulting in uncertainty and fragmentation.

One of the only options left for companies scrambling to continue data flows absent Safe Harbor would be model contracts, which do not work in all business situations because there are only three rigid models which are approved by the European Commission for use. Even if model contracts are used, the advocate general's September 23 opinion could arguably entitle national DPAs to suspend data flows after a complaint, rendering model contracts vulnerable to the "adequacy" fragmentation that Safe Harbor now faces.

Binding corporate rules (BCRs) may be suitable alternatives for large multinationals, but application is time intensive and quite expensive, and BCRs are only intended for intra-company data transfers.

It is a critical moment for data flows as companies look to the ECJ and the European Commission to provide a solution that does not grind the data flow of the U.S.-EU trade partnership to a halt. After all, both the U.S. and EU are each other's largest trading partner.