In a blockbuster development on September 23, the Advocate General of the Court of Justice of the European Union (CJEU), Yves Bot, issued his opinion in the challenge to the Irish Data Protection Commissioner brought by Maximillian Schrems. The Advocate General upheld Schrems' argument that Ireland's DPA has the authority and duty to investigate whether, in the light of NSA mass surveillance, Safe Harbor provides adequate protection for data transferred to the U.S. by companies such as Facebook. This is a very significant finding, representing the first time that judicial authorities have proclaimed that the European Commission is "not empowered to restrict the powers of the national supervisory authorities," since these powers are derived from the Data Protection Directive.
Going even further, however, the Advocate General held that the European Commission's decision on the adequacy of the level of protection provided by the Safe Harbor privacy principles and FAQs is "invalid," as demonstrated by the fact that the Commission has been negotiating with the U.S. to strengthen the bi-lateral framework. According to his opinion, the Commission should have suspended the application of its Safe Harbor decision upon learning of NSA surveillance, as it was urged to do by all 17 German DPAs and a huge majority of the EU Parliament.
While the Advocate General's Opinion is not binding on the CJEU, most legal experts believe it is likely to be largely upheld by the Court when it issues its ruling in the case later this fall. Most observers believed that the Irish DPA would be compelled to re-open the matter, but few anticipated the possibility that the Court might force an immediate suspension to Safe Harbor. What form this suspension might take, and how disruptive it might prove, remain to be determined. Prudent multi-national companies relying upon Safe Harbor will want to assess how to proceed should the program be brought to a halt, including the use of alternative legal grounds for data transfers, relocation of data centers to Europe and the development of processing based upon pseudonymous information.