The Safe Harbour regime that governs the exchange of personal data between the EU and the US has been severely questioned by an Advocate General of the European Court of Justice in an ongoing court case. As a consequence, the Safe Harbour regime might be suspended or terminated in the near future.
In 2013, Max Schrems (an Austrian law student) sued Facebook for violating data protection laws in Ireland, because Facebook automatically transferred all data to the US under the Safe Harbour regime.
According to Mr Schrems, it is against EU law to send data to the US without any national authority having checked whether Facebook observes European data protection rules in the US.
The High Court of Ireland decided that this question was contingent on the interpretation of European Union law and therefore requested a preliminary ruling of the European Court of Justice, whose decision in the case C-362/14 is expected by the end of 2015.
2. Relevant Legal Question
Part of the legal dispute is whether the Safe Harbour regime is in accordance with EU law or not. The regime is based on a contract between the EU and the US, in which the EU concedes that any US company that appears on the Safe Harbour list of the US government shall be treated as if it were a European company with regard to data protection (i.e. it is assumed that the US company observes the minimum level of data protection stipulated across the EU). This contract is based on a decision of the European Commission that stipulates that the US is a "safe country" for European data.
On 23 September 2015, the responsible Advocate General, whose role is to give his opinion to the European Court of Justice (which often confirms this opinion), doubted the validity of the decision on which the Safe Harbour contract is based. As a result, the US would no longer be automatically regarded as a safe place to which European data may be sent freely. Therefore, national authorities would have to investigate the facts of each individual case, to see if a US company observes the required minimum level of data protection.
The reasoning of the Advocate General is that the existence of a decision adopted by the Eu-ropean Commission on the basis of Article 25(6) of Directive 95/46/EC does not prevent a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appro-priate, from suspending the transfer of that data.
3. Consequences for US Companies
If the European Court of Justice follows the Advocate General's opinion, this ruling would heavily influence data transfer of US companies from the EU to the US. Therefore, EU law experts do not expect an immediate cut-off in the case that the court decides this way but rather a transition period for US companies. However, if the court follows the Advocate General's opinion, US companies will have to enter into additional agreements with their customers whose data are stored in the US. They will also likely have to request permission for data transfers to the US from national authorities.