How safe is the “Safe Harbour”? A close look at the “Schrems” case on the eve of the ruling

UPDATE: On 6 October, the EU Court of Justice issued a ruling invalidating the Safe Harbour agreement. See our press statement [PDF].

Tomorrow, the EU Court of Justice will determine whether the national Data Protection authority can conduct an independent assessment of a decision in the so-called Schrems case, which deals with Facebook’s transfer of user data between its subsidiary in Ireland and the parent company in the United States.

Will there be a review of the Safe Harbour framework — or will the national Data Protection authority be forced to abide by the European Commission’s previous decision to authorise the transfer of users’ data from the EU to the US under Safe Harbour?

Below, Access breaks down the EU Advocate General’s opinion in the case, which was delivered on September 23. The Advocate General’s opinion provides guidance to the EU Court of Justice, and the Court often— but not always — follows this guidance.

What is the Safe Harbour?

The Safe Harbour framework is an international agreement that authorises US companies to lawfully transfer a wide variety of personal data collected in the EU. According to EU data protection law, this transfer can only take place if the US ensures an “adequate” level of data protection — a standard meant to reflect the standard in the EU. Under the Safe Harbour, US companies must adhere to a set of principles, but the choice to follow Safe Harbour is voluntary and it only requires a self-certification that the principles are being followed.

The framework was established in 2000 to help navigate the differences in how data protection is regulated on either side of the Atlantic. Negotiations in the EU were conducted at the sole discretion of the European Commission, which chose at the time to ignore the privacy concerns raised by civil society groups and the European Parliament.

What are the recommendations of the Advocate General?

The Court’s decision is preceded by an opinion of the Advocate General, Yves Bot. His comprehensive opinion held that, despite the Commission decision that the United States offers adequate protections for personal data, national authorities are not pre-empted from conducting a review of the Safe Harbour mechanism. Given the authorities’ independence and their recognised investigatory powers, Bot asserts that data protection authorities in fact have a duty to carry out a comprehensive assessment of data transfer mechanisms like the Safe Harbour. An investigation can take place at any time — not only when privacy breaches are suspected — and can lead to a suspension of the transfer of data between the EU and the US if the authority considers data protections inadequate.

On the basis of CJEU case law, the Advocate General asserts that the Court should determine the validity of the Safe Harbour mechanism. On this underlying question, Bot comes to the conclusion that the Safe Harbour should be invalidated, as it contradicts EU data protection law and the EU Charter of Fundamental Rights.

What are the shortcomings of the Safe Harbour mechanism?

Based on the evidence revealed by Edward Snowden regarding the PRISM programme, the Advocate General considers the access enjoyed by US intelligence services to the data transferred by companies through the Safe Harbour mechanism to interfere with the rights to privacy, data protection, and effective remedy, all of which are guaranteed by the Charter.

The PRISM programme is a large-scale surveillance programme under which the United States National Security Agency (NSA) submits requests to major US internet companies (including Google, Yahoo, Microsoft, and Facebook) for information to, from, or about certain identified targets. PRISM began in 2007 and operates pursuant to section 702 of the Foreign Intelligence Surveillance Act Amendments Act (FAA).

The 2013 revelations about the operation of PRISM prompted the European Commission to initiate a review of the Safe Harbour mechanism, specifically regarding transparency. The EU Justice Commissioner at the time, Viviane Reding, stated, “the Safe Harbour agreement may not be so safe after all.” She expressed her concern that the Safe Harbour “could be a loophole for data transfers because it allows data transfers from EU to US companies — although US data protection standards are lower than our European ones.” This reaction from the Commission shows that it was aware of the critical flaws in the mechanism but decided not to suspend it, despite an explicit request by the Parliament to do so. The Advocate General therefore concludes that the “Commission ought to have suspended” Safe Harbour.

What are the other shortcomings of Safe Harbour?

Even apart from the issue of access to data by intelligence agencies that is being considered in this case, the level of data protection ensured by the Safe Harbour remains questionable. Often criticised, the framework was already reviewed twice, in 2002 and 2004. Since its implementation in 2000, civil society groups, data protection experts, and authorities have identified countless shortcomings in how the Safe Harbour is applied due to its complete reliance on self-certification and self-assessment. These loose rules, coupled with the lack of an efficient control mechanism, do not guarantee compliance with data protection standards.

What will happen if the Court invalidates Safe Harbour?

Currently more than 3,000 US companies are using a Safe Harbour certification to transfer data to data centers outside the EU. If the EU Court decides to follow the opinion of the Advocate General, these companies would have to find another legal basis for transferring data from the EU to data centers located outside the region. The EU data protection regime foresees the possibility for the transfer of data via so-called Binding Corporate Rules (BCRs) or Standard Contractual Clauses. Therefore, an invalidation of Safe Harbour would not mean an interruption in the transatlantic flow of data. These other mechanisms for transfer, while not perfect, include a more comprehensive oversight mechanism than the Safe Harbour.

Suspending Safe Harbour will not however make EU citizens’ data safe from US surveillance programmes. The US applies certain protections to all data collected within its geographic borders, meaning data stored there is necessarily harder for the NSA to access and requires some modicum of due process. Outside the US, these requirements no longer apply — US authorities can collect personal data from people outside the US under Executive Order 12333, which has no requirement for judicial involvement and little oversight. To protect the privacy of people in the EU, not only must the flawed Safe Harbour be invalidated, but the US has to engage in an in-depth surveillance reform, which includes a review of FAA section 702 and of EO 12333.

Invalidating Safe Harbour is a unique opportunity for the EU and the US to develop an accountable mechanism for data transfer that would protect individuals’ rights to privacy and data protection and provide companies with legal certainty at the same time.

Next steps

Under a short timeline that is unprecedented, the Court will rule on this case — only a week after the AG opinion was delivered. In the majority of cases, the EU Court follows the AG’s recommendations. Rendez-vous tomorrow at 09h30 GMT+1 for this (already) landmark ruling.