On October 12, 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs (“LIBE”) Committee held a debate to discuss the aftermath of the ruling of the Court of Justice of the European Union (“CJEU”) ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (see summary of the ruling here and summary of the Advocate-General’s Opinion here). The debate was chaired by the LIBE Committee Chair, Claude Moraes, and started with a presentation from the European Parliament’s Legal Service. The Legal Service provided a summary of the CJEU’s decision, and set out the following points:
- The ruling confirms the importance of the EU Charter of Fundamental Rights in protecting EU citizens, and the fact that all EU laws must comply with the Charter. In this case, the Charter rights invoked included the right of all EU citizens to privacy and the right to an effective judicial remedy. It can be concluded from the CJEU’s ruling that the Data Protection Directive 95/46/EC does comply with the Charter.
- Both the Charter of Fundamental Rights and the Data Protection Directive 95/46/EC provide a high level of protection to EU citizens’ personal data, whether the data are situated inside or outside the EU. This means that a third country can only be considered to provide “adequate” protection to EU citizens’ personal data when that country itself has strong data protection laws. The protection provided in a third country need not be identical, but must provide an “essentially equivalent” protection to that guaranteed under EU law.
- Legislation, whether in the EU or the U.S., cannot legitimately authorize mass or generalized surveillance of EU citizens’ data.
- The power of local data protection authorities (“DPAs”) to investigate data protection breaches cannot be restricted by the Commission.
Following the presentation from the Legal Service, the floor turned to the Members of Parliament (“MEPs”) to provide their views on the case and its repercussions. The MEPs all raised similar points, including:
- The invalidation of the Safe Harbor regime was considered to be “unsurprising”. In order to ensure that the terms of any “new” Safe Harbor are legally sound, it will be crucial to assess the adequacy of the U.S. legal regime and the possibility of EU citizens being able to seek legal redress in the U.S. if their personal data is accessed by the authorities. Indeed, MEPs felt that the ongoing discussions on a new Safe Harbor may need to be re-evaluated as a result of this ruling.
- Some MEPs suggested that the CJEU’s ruling may impact on other EU agreements, laws and treaties, including discussions with the U.S. on the Transatlantic Trade and Investment Partnership (“TTIP”), the Passenger Name Record (“PNR”) Directive, and the Umbrella Agreement on data protection standards for transatlantic law enforcement cooperation. MEPs suggested that this should be explored further.
- The role of DPAs has come to the fore as a result of this decision. Member State governments should review the role of their local DPA to ensure that high standards of data protection are being upheld in their country.
- With regard to the ongoing trilogue on the General Data Protection Regulation, a question was raised as to whether the current draft meets the requirements set out by the CJEU and appropriately accounts for the absence of the Safe Harbor.
Following comments from the MEPs, both the European Commission and the Council made statements. The Council confirmed that the Justice Council had discussed the implications of the CJEU’s ruling in a meeting held on October 9, 2015 (see here). The Commission explained that their priority is to seek a stronger and safer framework for international data transfers, and to provide guidance on how to comply with international data transfer requirements following the invalidation of the Safe Harbor. They confirmed that they are currently working with national DPAs to ensure that the CJEU’s ruling is interpreted and enforced in a harmonized way across the EU.
The Article 29 Working Party, an EU advisory body on data protection composed of representatives of the DPAs, the European Data Protection Supervisor and the European Commission, is meeting on Thursday this week (October 15, 2015) to discuss transatlantic data transfers following the CJEU’s decision. The European Parliament and the Commission will also meet in full committee on October 26, 2015 to discuss these issues in more detail.