Advocate General’s Opinion on Safe Harbour highlights difficulty in regulating data transfers

The Irish Data Protection Commissioner is responsible for regulating Irish based businesses who use and process personal data. The recent non-binding opinion issued by the European Court of Justice’s Advocate General Yves Bot on Safe Harbour – the EU-US trade agreement which allows EU citizens’ personal data to be transferred to the US – has, if followed by the European Court of Justice, the potential to make the job of the Commissioner and her staff much more complex.

Part of the Commissioner's job is to regulate the transfer of personal data to countries which are not deemed to have an adequate level of protection for the privacy and fundamental rights and freedoms of data subjects. But what if one such country is the United States, home to big data giants such as Google, Facebook and Apple, and through whose territory much of the world's data is transmitted on a daily basis?

The economic reality of how and where the world's data is routed is not an issue that the Advocate General dealt with in his opinion. The opinion was on a reference by the Irish High Court in a judicial review sought by Max Schrems, an Austrian student and Facebook member, of the refusal by the Irish Data Protection Commissioner to investigate what happened to Mr Schrems's data once it was transferred by Facebook Ireland Limited to Facebook Inc. in the US. Facebook Inc. is one of over 4,000 US based companies that self-certifies as compliant with European data protection laws under the Safe Harbour regime, which was negotiated between the European Commission and US government in 2000.

Mr Justice Hogan in the High Court recognised two events in particular that have impacted on Safe Harbour since it was adopted in 2000: the adoption of the European Charter of Fundamental Rights as part of the Lisbon Treaty in 2009 which includes an explicit recognition of data privacy rights, and the revelation in 2013 by Edward Snowden of the massive programme of surveillance by the US National Security Agency of personal data routed through US territory.

Mr Justice Hogan asked the European Court of Justice if Safe Harbour is still valid? In the Advocate General's opinion, it is not and ought to be suspended.

The Advocate General's opinion is non-binding, but when the European Court of Justice hands down its judgment in the coming months it is more likely than not to concur with the opinion of the Advocate General. This will cause a significant headache for the Irish Regulator, as well as for Irish based companies who regularly transfer data to the US. 

The logistical and economic reality of the world's data infrastructure is not likely to change. What then are the implications for Irish based data controllers? How can the seemingly incompatible ideals of data privacy and the insatiable consumer demand for data and connectivity be reconciled? 

Even though there has not been a final judgement in this matter what has been telling is the intense renegotiation of the Safe Harbour regime that has been ongoing between the EU Commission and the US in recent months. As the Advocate General pointed out in his opinion, the fact that the EU Commission had entered negotiations was itself an admission that Safe Harbour isn’t working. The Advocate General himself presented a possible means of squaring the circle through strengthening the regulation of Safe Harbour, observing that 'in order to attain a level of protection essentially equivalent to that in force in the European Union, the safe harbour scheme, which is largely based on self-certification and self-assessment by the organisations participating voluntarily in that scheme, should be accompanied by adequate guarantees and a sufficient control mechanism.'

The suspension of Safe Harbour raises the prospect that the Irish Data Protection Commissioner, and her equivalents throughout Europe, will have to investigate data transfers to the US, and forbid the likes of Facebook Ireland Limited from transferring its data to the US if European standards of data protection cannot be upheld. It is difficult to see how this would work in practice. A more likely outcome therefore will be a strengthening of the Safe Harbour regime - with the establishment of a sort of international data protection regulator given auditing, investigation and enforcement powers to oversee a 'Safe Harbour 2'. Given that the judgment of the European Court of Justice is imminent, this new regime will have to be put in place sooner rather later.

For further information, contact our Data Protection team.