EU - US Personal Data Transfers - Safe Harbor Under Threat

Author:Mr Rohan Massey, Heather Egan Sussman, James S. DeGraw and Mark Barnes
Profession:Ropes & Gray LLP

Following a private challenge by an Austrian law student to the storage by Facebook of his personal data on servers located in the United States, the EU Advocate General (the "Advocate General") has filed an advisory opinion with the European Court of Justice (the "Court of Justice") recommending that the EU-U.S. safe harbor of privacy principles (Commission Decision 2000/520/EC) (the "Safe Harbor") be invalidated. The Safe Harbor is a framework developed by the U.S. Department of Commerce and European Commission (the "Commission") that permits the transfer of personal data from the EU to the U.S. if the receiving entity adheres to certain privacy protection principles. The Safe Harbor thereby provides a legal basis to transfer data to the U.S. notwithstanding the fact that the Commission has found that the data privacy laws of the United States do not otherwise offer an adequate level of protection for personal data. Therefore, firms that are, or are planning to become, Safe Harbor certified should closely monitor whether the Court of Justice adopts the Advocate General's opinion and consider preparing for a situation in which the Safe Harbor is invalidated.

According to the Advocate General, revelations stemming from the Edward Snowden matter have recently brought to light the existence of large-scale information-gathering programs in the United States that are inconsistent with the privacy protections of the EU Data Protection Directive (Directive 95/46/EC) (the "Data Protection Directive"). As a result, the Safe Harbor scheme can no longer guarantee EU residents' rights to privacy and should therefore be found invalid and immediately suspended. 

Over 4,000 companies rely on the Safe Harbor to transfer personal data to the U.S. "Personal data" is defined broadly under the Data Protection Directive "to include any information relating to an identified or identifiable natural person," meaning that even relatively mundane information like payroll and company phone books can be considered personal data. Given this broad definition of "personal data," companies that send personal information from the EU to the U.S. (including EU companies that use servers located in the U.S.) often rely on the Safe Harbor for their everyday operations. 

As background, the proceeding on which the Advocate General commented is between an Austrian law student and the Irish Data Protection Commissioner (the "Commissioner"). The law student brought the proceeding...

To continue reading