On October 12, 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs (“LIBE”) Committee held a debate to discuss the aftermath of the ruling of the Court of Justice of the European Union (“CJEU”) ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (see summary of the ruling here and summary of the Advocate-General’s Opinion here). The debate was chaired by the LIBE Committee Chair, Claude Moraes, and started with a presentation from the European Parliament’s Legal Service. The Legal Service provided a summary of the CJEU’s decision, and set out the following points:
- The ruling confirms the importance of the EU Charter of Fundamental Rights in protecting EU citizens, and the fact that all EU laws must comply with the Charter. In this case, the Charter rights invoked included the right of all EU citizens to privacy and the right to an effective judicial remedy. It can be concluded from the CJEU’s ruling that the Data Protection Directive 95/46/EC does comply with the Charter.
- Both the Charter of Fundamental Rights and the Data Protection Directive 95/46/EC provide a high level of protection to EU citizens’ personal data, whether the data are situated inside or outside the EU. This means that a third country can only be considered to provide “adequate” protection to EU citizens’ personal data when that country itself has strong data protection laws. The protection provided in a third country need not be identical, but must provide an “essentially equivalent” protection to that guaranteed under EU law.
- Legislation, whether in the EU or the U.S., cannot legitimately authorize mass or generalized surveillance of EU citizens’ data.
- The power of local data protection authorities (“DPAs”) to investigate data protection breaches cannot be restricted by the Commission.