In a radical legal move today the Advocate-General in the Schrems case before the European Court has shaken the data protection safe harbor regime right to the core. Following the Snowden US surveillance revelations in 2013 the Austrian individual Maximillian Schrems brought a legal challenge before an Irish court challenging his rejected complaint before the Irish data protection regulator claiming that the US does not offer protection against surveillance by US intelligence authorities of data transferred to the US from the EU – Schrems’ data was being transferred from Facebook’s Irish subsidiary to the US. Back in 2000 the EU adopted the Safe Harbor Decision which provides a legal scheme for the adequate protection of personal data from the EU to the US. As the issue involved an interpretation of EU data protection law the Irish court had to refer to the European Court the question of whether the 2000 Safe Harbor Decision stops a national data protection regulator from investigating a complaint claiming that a country doesn’t ensure an adequate level of data protection and where appropriate from also suspending the contested personal data transfer.
The Advocate-General’s conclusions in his official legal Opinion are that national data protection regulators do have the power to undertake such investigations and suspend data transfers. Further, he has also concluded that the 2000 Safe Harbor Decision is flawed in that it doesn’t guarantee the protection of data protection rights and private and family life rights under EU law (including the EU Data Protection Directive) and consequently, according to him, the 2000 Decision is legally invalid. The Snowden revelations play a major role in his conclusions.
It should be stressed that the Advocate-General’s Opinion is not the end of this matter. The next step is for the European Court judges to give their ruling – no date has been set for this yet. The Advocate-General’s Opinion does not bind the judges and the judges usually follow the Advocate-General but not always as was seen in last year’s European Court ruling in the Google Right-To-Be-Forgotten case. The judges could find the Advocate-General’s Opinion too radical a move, but, if the judges agree with the Advocate-General then the EU will have to go back to the drawing-board on safe harbor – given the significance of the Snowden revelations it is hard to see for now how the EU will be able to conclude that the US offers an adequate level of data protection. The press release can be found here.
André Bywater and Jonathan Armstrong are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Jonathan Armstrong Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784