Out-Law News | 23 Sep 2015 | 4:13 pm | 2 min. read
In a non-binding opinion, Yves Bot, an advocate general at the Court of Justice of the EU (CJEU), said the EU-US Safe Harbour Agreement is not compatible with EU data protection laws.
The framework allows personal data to be transferred by US companies from the EU to the US without there being sufficient restrictions on, and oversight of, how that data might be processed, Bot said. The framework also fails to provide sufficient access to redress for EU consumers whose data is mis-used when transferred to the US under the scheme, he said.
Bot said the Safe Harbour Agreement "cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme".
EU data protection laws prohibitt companies from sending personal data outside of the European Economic Area unless "adequate protections" have been put in place or in circumstances where the destination country has been pre-approved by the Commission as having adequate data protection. Only a small number of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection.
In 2000 the European Commission and the US Department of Commerce agreed a framework that allows for the transfer of personal data from the EU to the US where data protections meet EU standards. US organisations that self-certify that they conform to the requirements of the safe harbour regime are deemed as having met the 'adequacy' standards outlined in the EU Data Protection Directive.
However, the Safe Harbour Agreement came in for scrutiny and criticism in the aftermath of revelations made public through the media in 2013 by former US National Security Agency (NSA) employee Edward Snowden. Snowden released documents that he claimed showed the surveillance capabilities and practices of the NSA and other intelligence agencies.
The European Commission, following the Snowden leaks, conducted a review of the Safe Harbour Agreement and found "deficiencies in transparency and enforcement" in how the framework operates.
The Commission was called on by MEPs to suspend the Safe Harbour Agreement with the US but chose instead to allow the current regime to continue whilst it has pursued attempts to reach an updated agreement on data transfers with its US counterparts. These negotiations are ongoing.
That decision was criticised by Bot. He said that the evidence points to US surveillance practices infringing on EU citizens' privacy rights in an unjustified way, stemming from the access to personal data they have from US companies signed up to the Safe Harbour Agreement under US law.
"The access which the United States intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued," Bot said. "Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security."
"Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter [of Fundamental Rights of the European Union]," he said.
Bot said national data protection authorities in the EU have the power to suspend transfers of personal data to the US by either acting on their own initiative or in response to complaints lodged with them.
The CJEU has been asked to rule on whether DPAs do have such power to suspend transfers of personal data to countries where it considers there to be a lack of adequate data protection in place for data subjects even if the Commission has determined that such adequate protection does exist.
That question has been referred to the Court by the High Court in Ireland which is considering a challenge made by an Austrian student against Ireland's data protection watchdog's handling of his complaint about data transfers involving Facebook. The CJEU is likely to issue its formal judgment in several months.