Member News

Is the Safe Harbor Framework Still Safe?

On October 6, 2015, the European Court of Justice (ECJ) will issue its decision in the Schrems case which may invalidate the U.S. Safe Harbor Framework. The Safe Harbor Framework permits U.S. companies to transfer personal data regarding their E.U. employees and customers to the U.S. in compliance with E.U. data protection requirements.

The case involves a legal challenge brought by Austrian national, Max Schrems, against Facebook regarding Facebook’s transfer of personal data from the E.U. to the U.S. under the Safe Harbor provisions.  As Mr. Schrems’ agreement was with Facebook Ireland, he filed his complaint with the Irish Data Protection Commissioner and the Irish Courts.

While the Court rejected Schrems’ claim that the Safe Harbor provisions were inadequate to protect his privacy interests, it requested that the ECJ examine the question of whether the Irish Data Protection Authority is bound to follow the Safe Harbor Framework or whether it should conduct its own investigation into the adequacy of Facebook’s data privacy protections.

On September 24, 2015, the ECJ Advocate General, Yves Bot, issued a non-binding opinion recommending that the ECJ invalidate that the Safe Harbor framework in the Schrems case in light of Edward Snowden’s revelation that personal data transferred from the E.U. under the Safe Harbor framework has been accessed by the U.S. NSA under the PRISM program. In making this recommendation, the Advocate General arguably went beyond the terms of reference of the question put to the ECJ by the Irish Court and it is worth remembering that the ECJ is not bound to follow the opinion to follow the opinion of the Advocate General and does not always do so.

However, a decision by the ECJ to invalidate the Safe Harbor Framework as the Bot opinion recommends would have serious ramifications as the more than 4,500 companies that currently use the Safe Harbor provisions will need to find other legal means to transfer personal data from the E.U. to the U.S.

The Ogletree Deakins Data Privacy Practice Group is evaluating the impact of an adverse ECJ decision and will provide further information recommendations to our clients on October 6 after the release of the Schrems decision.

For more information or questions about this article, please contact Grant Peterson at Grant.Petersen[at]ogletreedeakins.com or Simon J. McMenemy at simon.mcmenemy[at]ogletreedeakins.com

Compliments of Ogletree Deakins – Ogletree Deakins is a member of the EACCNY