This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here). The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in relation to complaints under the Safe Harbor, but the validity of the Safe Harbor itself; the AG found that the entire Safe Harbor is invalid as it fails to adequately protect personal data transferred from the EU to the United States.
In 2013, following the Snowden revelations, Austrian student Max Schrems filed a complaint with the Irish Data Protection Commission (“Irish DPA”) claiming, in essence, that the law and practices of the U.S. offer no real protection for EU citizens’ personal data kept in the U.S. against State surveillance. Schrems’ complaint related to his use of Facebook and the transfer of personal data relating to him under the Safe Harbor to Facebook U.S. (Schrems did not allege that Facebook U.S., as a self-certifying entity to which data is transferred, itself violated the Safe Harbor principles because of any access by U.S. authorities to data that Facebook holds. The Irish High Court acknowledged this, and the AG found that the allegations “do not amount to a breach by Facebook of the safe harbour principles”.)
The Irish DPA considered that he was not required to investigate the complaint on the basis that it was unsustainable in law: Facebook had self-certified under the Safe Harbor regime, and the Commission had decided in Decision 2000/520/EC that under the Safe Harbor scheme the United States ensured an adequate level of protection of the personal data transferred.
Schrems brought proceedings before the High Court in Ireland for judicial review of the Irish DPA’s decision rejecting his complaint. The Irish High Court, in turn, referred questions to the CJEU, essentially to ascertain whether the Commission’s assessment as to the adequacy of the level of protection, contained in Decision 2000/520, is absolutely binding on national data protection authorities and prevents them from investigating allegations challenging that finding.
Powers of national DPAs
First, the AG concluded that, under EU law, Decision 2000/520 does not prevent national DPAs from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data. The AG came to this conclusion based on a review of several authorities, including relevant provisions of Directive 95/46, prior CJEU precedent, the Charter of Fundamental Rights of the EU, and his interpretation of Commission Decision 2000/520 itself.
The validity of Commission Decision 2000/520
Despite the issue not being expressly referred to the CJEU, the Advocate General considered that the CJEU should determine the validity of Decision 2000/520. The AG considered that Decision 2000/520 is invalid as it fails to adequately protect personal data transferred from the EU to the U.S.
In the AG’s view, the problem arises primarily from the U.S. use of derogations in the Safe Harbor, which allow for the Safe Harbor principles to be limited in order to meet “national security, public interest or law enforcement requirements” or to address conflicts of law. The AG noted that (i) there is no independent authority capable of verifying that the implementation of the derogations from the Safe Harbor principles is limited to what is strictly necessary; and (ii) EU citizens do not have means to obtain access to or rectify or erase their data, or administrative or judicial redress with regard to collection and further processing of their personal data by the U.S. security agencies. Accordingly, Decision 2000/520 does not contain sufficient guarantees or satisfy requirements of the Data Protection Directive (which gives national DPAs certain investigatory and enforcement powers) or the Charter of Fundamental Rights.
What is the impact?
The AG’s Opinion could have an impact on organizations and broader political discussions regarding EU-U.S. data flows.
- If the CJEU follows the AG’s pinion and rules that the Safe Harbor is invalid, organizations that rely on the Safe Harbor to transfer personal data to the U.S. will have to consider alternative transfer mechanisms in order to transfer personal data lawfully to the United States. Immediate short-term alternatives are likely to include standard contractual clauses and, in more limited instances, consent. Binding Corporate Rules are another alternative, but would require more time to put in place.
- Negotiations on the proposed EU-U.S. Safe Harbor framework are still under way (see our earlier posts here and here). It will be interesting to observe the impact that the AG’s findings have on these negotiations, particularly regarding requirements that the AG states the U.S. should put in place and about the independence of national DPAs vis-à-vis the Commission.
Also, for those of you wondering if the proposed Regulation may provide a solution, this seems unlikely. The AG bases some of his findings on provisions of the current Data Protection Directive, but also refers quite extensively to primary EU law, i.e., Articles 7, 8 and 47 of the Charter of Fundamental Rights. Replacing the Directive with the Regulation would not address more fundamental objections that are based on the Charter.
The CJEU will now review the AG’s Opinion, and in the ordinary course of events can be expected to issue its judgment in 5-7 weeks’ time, i.e., at the very end of October, or early November.