This morning, the Advocate General of the Court of Justice of the European Union (CJEU), in his Opinion on the “Safe Harbor” Agreement with the United States, advised the Court to declare the entire Agreement invalid. The catalyst for the case was the mass surveillance practices of the United States.
Sixteen years ago, the EU and US concluded an agreement to allow personal data to be transferred into the US jurisdiction, which does not have comprehensive privacy laws. Literally from day one, it was quite clear that the agreement was unlikely to succeed. Now, after fifteen years of criticism from academics, from privacy advocates and from independent studies, the Advocate General of the European Court of Justice has confirmed what we already knew – the Agreement should be declared invalid. The Agreement has been kept alive by the European Commission’s refusal to accept the ever-growing mountain of evidence of the inadequacy of the Agreement.
“If confirmed by the full Court, this is a very important step for the right to privacy in Europe,” said Joe McNamee, Executive Director of European Digital Rights. “What happens next is crucial. It must never again happen, like in this case, like in the case of the Data Retention Directive, that obduracy from the Commission can keep agreements or laws in force that are patently illegal.”
We now await the ruling of the full Court, which we fully expect to uphold the opinion of the Advocate General.
Press Release from the CJEU: http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf
Full text of the Opinion:
FAQ – Safe Harbor
1) What is the Safe Harbor agreement?
Under EU data protection legislation, personal data can only be transmitted outside the EU under number of specific circumstances. One of these is a recognition of adequate data protection rules in the country where the data is being sent.
Due to the fragmented, inadequate approach to data protection in the US, a specific arrangement, called “Safe Harbor” was designed to create a framework for transfer of data to the United States. This was adopted in 2000.
There have long been serious concerns about the real protection that Safe Harbour actually provided. For example the 2008 study by Galexa called “The US Safe Harbor – Fact or Fiction” identified numerous problems. Implementation reports demanded by a sceptical European Parliament also resulted in reports from the European Commission that pointed to problems, but refused to recognise the scale of the instrument’s problems.
2) Why is it suddenly a problem now?
Under the current framework of the EU Data Protection law (Directive 95//46/EC), transfers of personal data need to ensure “an adequate level of protection”. Given the revelations exposed by Edward Snowden on the mass surveillance activities performed by the US National Security Agency (NSA), serious concerns were raised about how the Safe Harbour agreement provides the adequate level of protection for European data. In particular the surveillance under NSA’s PRISM programme facilitated by mass exports of data raise serious concerns.
During questioning in the hearing in the Court, the European Commission representative reportedly admitted that adequate protection is not offered by the agreement.
3) What happens if it is revoked by the Court of Justice?
There are other options for legal transfer of data outside the EU. While some industry representatives claim that suspension of the agreement would be hugely costly from an economic perspective, this is not the case.
4) What has the Advocate General said today? Is this already a “decision” or a “judgement”?
The Advocate General’s role is to advise the Court on what it should do. In most cases the Court (which will make a final decision shortly) follows the Opinion of the Advocate General. So, today’s announcement is not the final ruling.
In his opinion, the Advocate General stated that if a Data Protection authority considers there is not enough protection in a given country, the national authority needs to have the “power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision “. He also added that the US practices allow for “large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection” and that this lack of judicial protection is a disproportional interference with the right of EU citizens of the to an effective remedy, protected by the EU Charter of Fundamental Rights.