EU High Court Sets Judgment Day for U.S.-EU Safe Harbor as U.S. Government Fires Back at Court Advisor’s Safe Harbor Claims

The European Court of Justice (ECJ), the European Union's highest court, has set a judgment date for Maximillian Schrems v. Data Protection Commissioner, the case which may decide the fate of the current U.S.-EU Safe Harbor Framework (Safe Harbor) for cross-border data transfers. The judgment date is October 6, 2015. Given the speed at which the court is rendering its judgment, it is possible that the court will rely heavily on the Advocate General's September 23 opinion, which we discussed in detail in our previous client alert.

The hope right now is that the European Commission and U.S. Department of Commerce will finalize their renegotiation of the Safe Harbor terms and that the U.S. Congress will quickly pass a judicial redress act providing European citizens with a venue to pursue privacy actions against U.S. intelligence agencies. Practically speaking, it is unlikely that Congress will move that quickly. Given the ECJ Advocate General's focus on the U.S. national security system, and the possibility that the  court will follow the Advocate General's reasoning, the ECJ may draw into question the validity of all forms of data transfer to the U.S. and give member state data protection authorities and courts the ability to consider "adequacy" on a case-by-case basis. Thus it is unclear whether companies should consider moving to another data transfer mechanism at this time.

The ECJ scheduling announcement comes a day after the United States Mission to the European Union (U.S. Mission) issued a statement strongly supporting Safe Harbor. The U.S. Mission's statement was made in response to the Advocate General's nonbinding September 23 opinion which called for the suspension of Safe Harbor and for the confirmation that the member state data protection authorities are not bound by the Commission's "adequacy" decisions, such as Safe Harbor, when examining the lawfulness of international data transfers.

The U.S. Mission's September 28 statement attempts to set the record straight on several points including what the U.S. Mission's statement refers to as "numerous inaccurate assertions" in the ECJ Advocate General's opinion:

• The U.S. "does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens." The PRISM program is targeted against "particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."
• The United States has taken unprecedented steps to increase transparency and accountability regarding U.S. intelligence practices—steps which were not taken into account by the Advocate General's opinion. The U.S. Mission is likely referring to curtailments and transparency measures such as the USA Freedom Act, passed in June 2015, which bans the bulk collection of data by U.S. intelligence agencies and the proposed Judicial Redress Act and U.S.-EU umbrella agreement which would allow EU citizens to bring civil actions directly against certain U.S. agencies.
• The renegotiation of Safe Harbor by the U.S. Department of Commerce and European Commission is not a sign of its "inadequacy" but rather an ordinary course of action. The Safe Harbor Framework is a "living document" for which both the U.S. and European Commission make operational improvements from time to time.

Finally, the U.S. Mission notes the likely far-reaching negative consequences of the Advocate General's proposal to treat European Commission "adequacy" determinations as something subject to member state data protection authority approval/disapproval, potentially on a case by case basis. Were the ECJ to agree with the Advocate General, every EU data transfer mechanism (including each country the EU has found "adequate," all binding corporate rules (BCR), and model contracts) would be subject to 28 different "adequacy" determinations on a case by case basis—entirely undermining the unified model implemented by the European Union.

The announcement of the renegotiated Safe Harbor terms is still forthcoming. We will continue to monitor and keep you apprised of ongoing developments.