On September 23, 2015, Advocate General Yves Bot delivered an opinion on the issue of the transfer of personal data from Facebook Ireland to Facebook USA, in light of the generalized access the National Security Agency (NSA) and other United States security agencies have to the data stored at Facebook USA.
The Advocate General states that the finding that a third country does or does not ensure an adequate level of protection is a shared competence between the EU Commission and EU Member States. As a consequence, the Advocate General takes the view that the existence of a decision adopted by the EU Commission cannot eliminate or even reduce the national supervisory authorities’ powers to form their own opinions on the general level of protection ensured by a third country. Indeed, he points out that the requirement that compliance with EU rules regarding protection of individuals’ personal data is subject to control by an independent authority, is also expressly stated in the Charter of fundamental rights of the EU.
The assessment of whether, under the Safe Harbor scheme, the United States guarantees an adequate level of protection of personal data transferred therefore necessarily leads to an evaluation of the validity of the EU Commission’s decision that there was an adequate level of protection of personal data. The Advocate General refers to the particular nature of an adequacy decision to insist on the need to regularly review the EU Commission’s decision, especially if new events have occurred in the meantime that call into question the initial assessment. Such new events have occurred in the case at hand, as Edward Snowden recently revealed that personal data transferred by undertakings such as Facebook Ireland to a parent company in the United States is subject to assessment by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance and interception of such data. The present negotiations between the EU and the U.S. to reframe the Safe Harbor, in order to put an end the shortcomings, have also revealed that the protection was not adequate. Based on those considerations, the Advocate General’s conclusion is that the EU Commission’s decision is invalid; it authorizes a disproportionate mass surveillance and, as a consequence, its application should have been suspended.
Based on this opinion, there is a very high risk that even before the final decision of the Court of Justice of the EU, national Data Protection Authorities will follow the decision to suspend transfer of personal data between the EU and the U.S. based on Safe Harbor.
Click here for the press release from the Court of Justice of the European Union (CJEU) regarding this opinion.