In what has likely been the world's leading story amongst privacy news headlines this week., European Court of Justice (CJEU) Advocate General Yves Bot issued his opinion Wednesday that the EU-U.S. Safe Harbor agreement is "invalid" due to U.S. law-enforcement access to EU citizen data. And while such advocate-general opinions may not be binding, the CJEU has been known to follow them in an overwhelming majority of instances—to the tune of 85 percent of the time.
As The Privacy Advisor reported earlier this week, some of the first reactions to Bot's opinion came from Austrian student Max Schrems, who, with his group Europe v. Facebook, originally filed the case alleging the U.S. National Security Agency collected Europeans' data via Facebook in violation of EU law that ultimately led to Bot's opinion.
But Schrems isn't the only one weighing in on Bot's opinion. Here are just a few of the reaction stories we've seen this week from privacy pros and media organizations alike.
In a piece for Hogan Lovells' Chronicle of Data Protection, Eduardo Ustaran, CIPP/E, writes that the opinion "has created significant uncertainty relating to its immediate future." He goes on to point out three specific "challenges to be overcome for Safe Harbor to continue to be a valid mechanism for transfers." Ultimately, he writes, "Safe Harbor is not dead and still has a crucial role to play in delivering a strong level of protection for European data, but it is only prudent to consider other alternatives that may be deployed to ensure that transatlantic data flows continue to be lawful."
Bird & Bird Partners Ruth Boardman and Fabian Niemann take a close look at Bot's opinion, including a breakout of its key elements followed by an evaluation of the opinion. They point out that whether the CJEU will follow Bot's decision is not yet known, writing, "We believe that it should not."
In a report in The Guardian, PwC's Stewart Room, CIPP/E, is quoted on the opinion, describing it as signifying "a real game-changing view on the power of the European Commission to override the views of the data privacy regulators of the member states. The advocate general takes the view that the Commission cannot bind the national regulators. In other words, the views of the member states’ regulators trump the central view of Brussels."
If the ECJ does follow Bot's guidance, "the consequences for EU-U.S. relations could be considerable: diplomatically, commercially and in the ongoing TTIP trade talks," The Irish Times reports, while Hunton & Williams' Privacy & Information Security Law Blog reports that the opinion is likely to "increase the pressure on U.S. and EU government authorities to reach agreement on a revised U.S.-EU Safe Harbor Framework. The U.S.-EU Safe Harbor Framework remains a valid mechanism for the transfer of personal data to the U.S. pending the decision of the CJEU."
And in a piece for Data Breach Legal, Charles Borrero writes that it may be more likely for the CJEU will rule that the European Commission decision is valid but does not curb or preempt the independent supervisory authorities."
Among those potential impacts, they write, if the CJEU aligns with Bot's opinion and finds Safe Harbor invalid, "organizations that rely on the Safe Harbor to transfer personal data to the U.S. will have to consider alternative transfer mechanisms in order to transfer personal data lawfully to the United States. Immediate short-term alternatives are likely to include standard contractual clauses and, in more limited instances, consent. Binding Corporate Rules are another alternative, but would require more time to put in place."
For those organizations concerned about the potential fate of Safe Harbor in the wake of Bot's opinion, check out our feature on a Safe Harbor alternative, namely, binding corporate rules (BCRs), which features a roundup of the IAPP's past BCR-related coverage.
If you want to comment on this post, you need to login.