As the dust begins to settle after the headline-grabbing Advocate General opinion in the Schrems v. Irish Data Protection Commissioner it may be worth considering some of the other potential implications arising from that opinion.
Of course, the AG opinion is not the final word on this matter. That will rest with the judgement of the Court of Justice of the European Union (CJEU). And the CJEU is not bound to follow this opinion. So there may well be life left in Safe Harbor (or Safe Harbor 2.0) yet. But if the CJEU follows suit, what else could this mean?
- The Irish Data Protection Commissioner had initially refused Mr Schrems' complaint on the grounds it was "frivolous or vexatious" as he could not evidence that his information specifically had been subject to surveillance by US law enforcement agencies. Once the CJEU has made its decision, the complaint will be passed back to Ireland – could the same conclusion be reached as Mr Schrems has still not provided this evidence? Given the conclusions of the Irish High Court in making its referral to the CJEU this seems unlikely – they believed the PRISM programme gives rise to a "significant issue"; but you never know.
- If the CJEU determines, as seems likely, that the independence of local data protection supervisory authorities means they are not necessarily bound to follow decisions of the European Commission, what other alternative approaches could local authorities adopt? Could we see some local authorities determining that other data flows do not provide an adequate level of protection for European personal data? Or perhaps the Article 29 Working Party will need to take more of a lead?
- AG Bot's critique of Safe Harbor is certainly
detailed. In essence, AG Bot identifies two fundamental flaws
with Safe Harbor:
- the rights granted to US law enforcement agencies to access personal information held by technology providers in the US are too broad – and, as a result, the restriction of the Safe Harbor principles in such circumstances disproportionate; and
- the lack of an independent authority in the US with a sufficiently broad remit to monitor and enforce compliance with the requirements for protection and security of personal data – the Federal Trade Commission's responsibility is limited to commercial practices but does not oversee the activities of US law enforcement agencies.
- Clearly the "Snowdon revelations" have brought concerns regarding Safe Harbor to the forefront, but these two "flaws" are products of the structure of Safe Harbor. Will the CJEU really follow suit in reaching a view that Safe Harbor has been "invalid" for the past 15 years? And does the same risks actually apply to model clauses or other data transfer solutions?
- The lack of an independent US data protection authority is significant in its own right; will this Opinion put pressure on the EU Commission to require such a body as part of the renegotiation of "Safe Harbor 2.0"? Will it put pressure on the US to press ahead with "rights for EU citizens"; other subject currently under discussion. What is clear, is that these negotiations have just received a renewed sense of urgency.
Some food for thought while we await the CJEU decision.
For more information, visit our Privacy and Data Security blog at www.datagovernancelaw.com
About Dentons
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
Learn more at www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.
