Post-Snowden Woes: EU Opinion Invalidates US Tech Firm ‘Self-Certified’ Data Privacy
On September 29, Bloomberg BNA reported that the European Union’s top court will deliver a critical ruling on October 6 in a compelling case for companies that rely on the Safe Harbor to lawfully transfer personally identifiable information from the EU to the United States.
The scheduled ruling would come only two weeks after an advocate general for the European Court of Justice issued a non-binding opinion stating that certain US intelligence practices render the protections of the Safe Harbor data privacy agreement invalid. While the ECJ usually takes several months to issue rulings following an opinion from the advocate general, the court is expediting Schrems v. Data Protection Commissioner – an indication of its importance.
At issue in Schrems is a referral by Ireland’s High Court of a case involving an Austrian law student who asked for a ruling on whether Ireland’s Office of Data Protection Commissioner is obligated to investigate a US-based company over the possible surrender to US officials of personal data transferred under the Safe Harbor.
Under the existing framework, major US tech firms “self-certify” that their data protection practices match the more stringent EU regulations via the “safe harbor” framework. This certification allows data for EU citizens to flow legally across the Atlantic in a streamlined manner. The advocate general’s opinion has recommended that the framework be deemed invalid because of the US government access to personal data revealed by the Snowden affair. This opinion reflects the ongoing privacy concerns of US allies following Edward Snowden’s revelations concerning the extensive nature of the National Security Agency’s surveillance. According to advocate general Yves Bot, “a third country cannot in any event be regarded as ensuring an adequate level of protection.”
Currently, the Safe Harbor principles allow thousands of US companies to comply with the EU directive on personal data protection and share data between the US and EU. Mr. Bot’s opinion, as the European Commission has already demanded changes to the framework and the ECJ may follow his recommendation, creaties a great deal of uncertainty.
At this point, the Safe Harbor framework is still a legitimate and well-recognized manner for data to flow between the EU and the US. But if the court agrees with the advocate general, then the framework may be deemed ineffective to allow data to flow across the Atlantic. As companies await the decision, they should consider other options for transfer of data from the EU to the US. Currently, there are several other approved mechanisms for permissible transfer, including the use of contractual clauses, binding corporate rules and in some instances, consent to the transfer is also sufficient.