On 23 September, the Advocate General at the European Court of Justice (ECJ) Yves Bot presented his Conclusions on the Case C-362/142014, considering that Commission Decision on Safe Harbour is invalid.
The questions opened by these Conclusions regarding the way forward are numerous and we will have to wait until the final Decision of the Court, which will confirm Advocate General’s Conclusions or on the contrary will depart from the views of Mr Bot. Conclusions of the Advocate General are not binding on the Court of Justice, but they are extremely influential and, in the majority of cases, are followed in the final decision of the ECJ.
These Conclusions especially if finally ratified by the ECJ Ruling will have profound implications for organisations transferring personal data from the EU to the US.
The way forward can be better understood if we look back to what has happened in the last years, even before first Snowden revelations have shaken the privacy debate at both sides of the Atlantic.
In January 2013 I sent Commission colleagues an innocent email asking them to send me a copy of the study mandated by the Commission to assess the implementation of the Safe Harbour (SH) agreement.
This was an old study prepared in 2008, which was supposed to be the basis for the evaluation report of the Commission. However, five years later, Commission had not published this evaluation report, but postponed sine die its publication, claiming that the fundamental shortcomings pointed out by the study were being addressed by US Authorities, thus Safe Harbour was being improved.
Initially, the Director General refused the access to such document because it could interfere in the ongoing legislative process. Based on the rules regarding public access to European Parliament, Council and Commission documents, I appealed the decision and in July 2013, five months after my initial request, the Secretary General granted me the access to such study considering the document could be disclosed entirely.
It was probably not the best moment to make public such a study considering that the first Snowden revelations exploded in June 2013. The “old” study turned to be an interesting reading with demolishing conclusions:
“Beside the noticeable improvements that have been underlined, and in particular the notoriety of the SH among US organization, the general situation is still quite critic. A global assessment of the implementation of the SH leads to the conclusion that the SH in 2008 does not offer a level of protection better than the one that appeared in 2004, if not worse. Without a substantial action of the US actors it might be difficult to maintain an EU statement on the adequacy of the system imagined in 2000. If definitively self-regulation which is the cornerstone of the SH Principles might for different reasons be considered as a credible substitute of the EU legislative approach, it remains absolutely needed that the SH self-regulation and its effectiveness should be taken more seriously by their promoters”.
Based on this study, Commission was supposed to present the second implementation report of Safe Harbour already in 2008. However, the study was so negative highlighting all the shortcomings of the Agreement (that, by the way, had already been raised in the previous implementation report in 2004, the only one that the Commission did on the application of Safe Harbour scheme) that the Commission did not dare to take the natural and difficult decision, which should have been revoking the Safe Harbour scheme as it no longer seemed to provide an adequate level of protection or starting immediate discussions with US Authorities to introduce the necessary improvements and guarantees.
This could have been done already in 2008, before Snowden, before GDPR, before VP Reding was in charge of the dossier. But the Commission preferred to stress the improvements introduced in the Safe Harbor since 2004, recognizing -at the same time- that “however” there was still room for further improvement. Commission worked on various drafts (more than ten drafts!), but never published the Implementation Report.
In defense to the Commission, whose work is critically attacked by the Advocate General, one could say: How Commission was supposed to suspend the Safe Harbour Decision? What would have been the way out for companies trusting in Safe Harbour to transfer personal data? Transfers of personal data form an integral part of the transatlantic relationship and the commercial exchanges across the Atlantic with large amounts of data going from the EU to the US. Purely suspending the Agreement was not the solution in 2008 as it is probably not the solution today, if companies are not given a feasible alternative to be able to transfer personal data outside Europe while complying with the Data Protection Law.
The Advocate General has only confirmed what the “old” report said in 2008 and what the Commission knew, but now it is more difficult to find middle ground solutions, especially if the Conclusions of the Advocate General are confirmed by the final Ruling. An invalid Safe Harbour scheme would mean “immediate suspension” without any alternative for Safe Harbour self-certified companies in the short term. Companies would need a transitory period to adapt and to negotiate Binding Corporate Rules or Standard Contractual Rules, both very lengthy and complex procedures.
Given the significance of transatlantic data flows, it is essential that the instruments on which these exchanges are based appropriately address new technological developments and the challenges and opportunities of the digital era. In any case, future arrangements and agreements should guarantee a high level of protection over the Atlantic.