This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.
Summary and implications
On 23 September 2015 the Advocate General of the Court of Justice of the European Union (CJEU), Yves Bot, handed down an opinion in a case called Schrems. In this opinion, amongst other eye-catching views, the Advocate General suggested that the current legal regime that permits transfers of personal data from the EU to the companies in the US, the so-called Safe Harbor Agreement, should be held to be invalid as it "cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the EU to the US". In reaching this conclusion, he noted that personal data was subject to "mass and indiscriminate surveillance and interception" by US intelligence authorities. Whilst this decision is not binding, if followed by the CJEU it could interfere with certain transfers of personal data from the EU to the US which currently rely on the scheme.
What was the case about?
Mr Schrems had an account with Facebook which was administered in Ireland. His personal data were passed to various Facebook servers in the US. In transferring the data outside Europe, Facebook relied on a European Commission decision issued in 2000 (known as the Safe Harbor Agreement). This is, in essence, a self-certification scheme intended to ensure “adequate protection” for personal data transferring from the EU to the US. Mr Schrems objected to this practice. He claimed that, following revelations made by Edward Snowden regarding the US surveillance programme, PRISM, the US did not sufficiently safeguard the privacy of his personal data. PRISM allows certain US security agencies access to the US-based servers of companies which are compulsory members of the scheme.
Upon discovering that his personal data could be interrogated under PRISM, Mr Schrems – who was crowd-funded to bring the case – sought a declaration that the activities of Facebook in exporting his personal data to the US were not lawful. He made his complaint to the Irish information regulator, and then to the Irish Court. The Irish Court referred the question to the CJEU, as a question of over-arching EU law, which in turn led to the Advocate General's Opinion.
The Advocate General's Opinion
The Advocate General unequivocally found the Commission's Safe Harbour Agreement to be defective since it resulted in a situation in which US security agencies could access “in a comprehensive manner, [the personal data of] all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.” He went on to say that “such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with [European privacy] … rights” in the complete absence of any form of judicial accountability. He concluded that the Safe Harbor Agreement "must therefore be declared invalid since [it] cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States".
What does this mean?
This opinion, if followed by the CJEU, may have significant consequences for data transfers from Europe into the US. If the Safe Harbor Agreement were quashed, companies that currently rely on the Safe Harbour Agreement to comply with EU law for data transfers into the US would need to reach for other solutions to ensure the lawfulness of their data transfers. A number of other well-established data transfer options exist, including EU Commission-approved standard contract clauses. However, the Attorney General's Opinion suggests that there are also possible implications regarding the legality of other data transfer models depending on whether or not certain third party servers or platforms are used to effect the data transfer.
It is too early to appreciate the full implications of the Schrems opinion. Given the huge amount of EU to US data transfers undertaken every day it is almost inconceivable that the European Commission will not find a means to address the legal issues being raised by this case in timely fashion. Nevertheless, companies that transfer data from Europe into the US should follow this case closely.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.