The End of Safe Harbor? Posted by John on 23 September 2015

Yves Bot, Advocate General of the European Court of Justice (ECJ), has said that the EU-U.S. Safe Harbor process is invalid. The framework regulates U.S. companies to comply with EU data protection law and has been in place for 15 years. At present, over 4,000 U.S. companies have Safe Harbor certification. 

The AG further opinioned that EU Member States “must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data.” 

As such, the opinion by the Advocate General means that the mass transfer of personal data from the EU to the United States by corporations such as Facebook and Google contradicts EU data protection laws and represents a breach of the fundamental right to privacy as set out in Article 8 of the European Convention on Human Rights. 

The case is based on a High Court judicial review application which was paused by Justice Gerard Hogan who sought a preliminary ruling from the Court of Justice of the European Union. The case will be ultimately decided by the High Court, however the Irish court is bound by the European Court’s opinion.

Mr. Bot said that American privacy rules do not offer European citizens enough protection, or legal recourse, against their online data being misused by companies or national governments. He added that the potential collection of people’s online information, often without their knowledge, infringed on Europeans’ fundamental rights. He also criticised the agreement in question between Europe and the United States that allows companies to share data and commented that this agreement should have been suspended.

The plaintiff, Max Schrems; the Austrian PHD student who has campaigned for greater transparency regarding EU-US data sharing practices, has commented: “After an initial review of the advocate general’s opinion of more than 40 pages it seems like years of work could pay off. Now we just have to hope that the judges of the Court of Justice will follow the advocate general’s opinion in principle.”

Today’s opinion is not legally binding, although it is widely expected to be followed by a similar decision from the Grand Chamber of the ECJ as early as next month. It could in essence mandate the Office of the Irish Data Protection Commissioner (ODPC) to investigate the personal data management practices employed by Facebook. Furthermore, the procedures by which the ODPC regulates US tech corporations will have to be fundamentally reevaluated. Corporations such as Twitter, Google, Apple, Linkedin & Facebook all have their European headquarters in Ireland and as such fall under the remit of the ODPC. 

This groundbreaking decision coupled with the imminent enactment of the General Data Protection Regulation indicates that privacy and data sharing practices are being closely safeguarded by the EU and that values inherent in Human Rights Conventions will be strictly enforced.