On October 6, 2015, the European Court of Justice (ECJ) will issue its decision in Schrems v. Data Protection Commissioner, Case C-362/14, which may invalidate the U.S.-EU Safe Harbor Framework. The Safe Harbor Framework permits U.S. companies to transfer personal data regarding their employees and customers from the European Union (EU) to the United States in compliance with E.U. data protection requirements.
The case involves a legal challenge that Austrian national Maximilian Schrems brought against Facebook Inc. for transferring personal data from the European Union to the United States under the Safe Harbor Framework. Schrems, who subscribed to Facebook in 2008, signed a contract with Facebook Ireland—a subsidiary of Facebook Inc.—as do all Facebook subscribers residing in the European Union. As Schrems’ agreement was with Facebook Ireland, he filed his complaint with the Irish Data Protection Commissioner and the Irish courts. While the court rejected Schrems’ claim that the Safe Harbor Framework was inadequate to protect his privacy interests, it requested that the ECJ examine the question of whether the Irish Data Protection Commissioner is bound to follow the Safe Harbor Framework or whether it should conduct its own investigation into the adequacy of Facebook’s data privacy protections.
On September 23, 2015, the ECJ Advocate General, Yves Bot, issued a non-binding opinion recommending that the ECJ invalidate the Safe Harbor Framework. A main factor in this opinion was Edward Snowden’s revelation that personal data transferred from the European Union under the Safe Harbor Framework has been accessed by the United States’ National Security Agency under the PRISM program.
In making this recommendation, the Advocate General arguably went beyond the question put to the ECJ by the Irish court, and the ECJ is not bound to follow the opinion of the Advocate General and does not always do so. However, a decision by the ECJ to invalidate the Safe Harbor Framework as the Bot opinion recommends would have serious ramifications as the more than 4,500 companies that currently use the Safe Harbor Framework will need to find other legal means to transfer personal data from the European Union to the United States.
The Ogletree Deakins Data Privacy Practice Group is evaluating the impact of an adverse ECJ decision and will provide further updates on this topic on October 6, 2015, after the release of the Schrems decision.