CJEU, AG Opinions, Safe Harbor, (Oh My!)

What’s happened?

Max Schrems took a case against the Irish Data Protection Commissioner over the transfer of personal data to the US by Facebook. At the heart of the case was whether the Irish DPC should have (or could have) suspended the “Safe Harbor” provisions permitting the transfer of data to the US by companies under the Regulatory oversight of the Irish DPC. This case wound up in the Irish High Court, where Mr Justice Hogan referred it on to the Court of Justice of the European Union (CJEU). That case was heard by the Court in March (our friends over in Digital Rights Ireland had an amicus brief on the case to help the Court).

Today the Advocate General has published their Opinion. This is not a ruling by the Court, but the Court follows the Opinion of the Advocate General over 75% of the time. Even when they don’t follow the Opinion, the Court doesn’t always disagree: In Digital Rights v Ireland the AG Opinion had called for a suspension of the Communications Data Retention Directive. The Court struck it down entirely.

The AG’s Opinion today:

1. Recommends the striking down of Safe Harbor on the basis that
2. Mass surveillance by the US Intelligence services is incompatible with the Fundamental Right to Personal Data Privacy, particularly where
3. There is no effective recourse to an independent authority.

The Opinion also tells us that:

1. Data Protection Authorities have a positive duty to initiate investigations except where the complaint is frivilous or vexatious in nature (and I’d have to ask: how do you objectively decide that without doing some investigating?)
2. Data Protection Authorities are required to challenge domestic laws and decisions of EU instutitions where they result in an infringement of Data Privacy rights. This is a key hallmark of an independent Regulator.

Why does it matter?

A large number of the tools and applications we use online today rely on the Safe Harbor framework to transfer and process data in the United States. Services like MailChimp (even if you go for their “Data Processor Agreement” it still relies on Safe Harbor – a missed opportunity), SurveyMonkey, and others all rely on Safe Harbor to allow data you provide them (or that your customers provide to you via their services) to be transferred to servers in the US. In the absence of Safe Harbor, those services would require another legal basis to transfer data provided by you or your customers to servers in the US (consent, model contract clauses, etc)

Given how many charities, non-profits, small businesses, and big businesses rely on tools like MailChimp and SurveyMonkey, and other “cloud” services, the impact of it suddenly being illegal to use those services (in their current form) would be significant.

While the AG’s Opinion is just an Opinion, it’s a pretty big warning. It’s a warning that, within the next few months, Safe Harbor (in its current form) will be struck down and, in the absence of a Plan B from the politicians who negotiated Safe Harbor, businesses that rely on services that have hung their compliance hat on Safe Harbor will need a Plan B of their own.

Devil in the Detail

Apart from the implications for MailChimp and the like, there are other implications in the AG’s Opinion. The position they are adopting is that the ultimate arbiter of things is the compatibility of processing with Article 8 of the Charter of Fundamental Rights (right to Personal Data Privacy) and Article 7 right to Privacy. This is consistent with a number of recent CJEU rulings since 2014’s DRI v Ireland case.

In light of this, the AG’s Opinion is that national legislation and Commission decisions are not immune to challenge by Data Protection Regulators. Indeed, the general thrust of the AG’s Opinion here is that, when faced with a question of whether they need to challenge national laws or Commission bodies, DPAs should shoot first and ask questions later act first and seek forgiveness later. In short, a Data Protection Authority has a positive duty under the Treaty to act independently to vindicate Data Subject Rights, therefore they have a positive duty to conduct investigations and reach conclusions, unless the compliant is clearly frivilous or vexatious.

What are the implications?

The implications of the Opinion on Safe Harbor are simple: Unless the underlying issues which the AG has identified as contributing to the ineffectiveness of Safe Harbor as a mechanism to uphold fundamental rights (specifically, but not limited to, the extent of mass surveillance practices of the US Government and its agencies), then Safe Harbor is sunk. To paraphrase Monty Python:

This Safe Harbor is Dead. It has ceased to be. It has joined the Governance Model Choir Eternal. It is NO MORE!

Attempts by the EU Commission and the US State Department over the past few years to insist that Safe Harbor was just “having a nap” but was still alive, while they tried to paper over the cracks, have not met the required tests in the view of the Advocate General. And the Court tends to follow the AG’s lead.

More interestingly, and more pertinent in a world where people either don’t use services that rely on Safe Harbor or have managed to sort the headache out using alternative mechanisms, the AG’s view on the investigative role and responsibility of an independent Data Protection Authority will have ramifications.

For example, if a Data Protection Authority was to have adopted a position that it didn’t investigate “systemic” issues but only looked at matters where there was an affected party who needed some form of Ombudsman to act for them, then the AG’s Opinion appears to be, at best, ‘problematic’. What AG Bot indicates is required of an independent Data Protection Authority is that they would identify where national laws or other rules or legislation are at odds with the requirements of the Charter and the applicable Data Protection legislation and would push back against the defective rule by way of enforcement or a formal decision (which could then be appealed).

From a Data Subject’s perspective, it means that if you have a complaint, it has to be looked into. Unless there is objective evidence that you’re a crackpot.

Does this mean we should expect to see more aggressive investigation of complaints relating to Public or Private sector data handling and more direct decision making? Will our Data Protection Authorities need to adopt more of the persona of Judge Dredd rather than Deputy Dawg? A lot hangs on what the Court ultimately decides. But the Opinion should be leaving some ears burning around the EU28 today.

What next?

Now we wait for the judgement of the Court. We also wait to see if the EU Commission and the US Government can get a resolution to the fundamental issues that undermined Safe Harbor, and if they can do it BEFORE the CJEU delivers its ruling. Given that these issues have been known and negotiated for the better part of fifteen years without success, I would not give good odds on that happening.

Organisations that rely on services that have hung their hat on Safe Harbor should consider the Business Continuity and other risks associated with the potential for Safe Harbor to be declared unlawful. It is important to have a plan and to be able to put it into place should the worst case scenario come to pass. Likewise, organisations that are relying on what we call “a bit o’ ould law” (a Statutory provision or administrative rule etc.) that has been the hook you’ve hung compliance on need to assess how necessary and proportionate their processing is under that law and whether they are potentially infringing in an unbalanced way on Article 8 rights.

Key Takeaways:

• Contact your Service providers and ask them what their contingency plan is if Safe Harbor ceases to be an option. Ask if they can put that plan into place immediately if needed or if there is a lead time.
• If they don’t have one that addresses the underlying problems and risks, then begin to look at alternative providers and develop your plans to migrate data away from your current supplier.
• Get ready for more direct investigations by Data Protection Authorities, and be prepared for existing statutory bases for processing to be open to challenge.