On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in the Schrems v. Facebook case, following the Opinion of the Advocate General published on September 23, 2015. In its judgment, the CJEU concluded that:
- The national data protection authorities (“DPAs”) have the power to investigate and suspend international data transfers even where the European Commission (the “Commission”) has adopted a decision finding that a third country affords an adequate level of data protection, such as Decision 2000/520 on the adequacy of the protection provided by the Safe Harbor Privacy Principles (the “Safe Harbor Decision”); and
- the Safe Harbor Decision is invalid.
Powers of National Authorities
The CJEU concluded that a decision of the European Commission on the adequacy level of data protection provided by a non-EU country cannot eliminate or reduce the powers granted to DPAs under the EU Data Protection Directive 95/46/EC. DPAs therefore can suspend international data transfers made under the Safe Harbor Framework following an investigation. The Court, however, also stated that the CJEU alone has the ultimate jurisdiction to examine the validity of a Commission adequacy decision.
Validity of U.S.-EU Safe Harbor Framework
In its judgment, the CJEU also assessed the validity of the Safe Harbor Decision. The CJEU observed that the Safe Harbor Framework solely applies to U.S. undertakings which adhere to it, leaving out of scope U.S. public authorities. In addition, national security, public interest and law enforcement requirements prevail over the Safe Harbor Framework. When a conflict arises with respect to these requirements, the U.S. undertakings are obligated to disregard the existing protective rules. The CJEU further concluded that U.S. legislation does not limit interference with individual’s rights to what is strictly necessary. Notably, the CJEU indicated that U.S. legislation authorizes on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.
The CJEU further observed that the Safe Harbor Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU.
Finally, the CJEU stated that the Safe Harbor Decision restricts the powers of DPAs to investigate the validity of the Decision and the Commission lacked competence to do so. For all of the reasons set forth above, the CJEU declared the Safe Harbor Decision invalid.
Following the judgment of the CJEU, the Irish DPA is required to examine, with all due diligence, whether the transfer of data of Facebook’s European users to the U.S. should be suspended given that the level of protection provided by the U.S. for data transferred under the U.S.-EU Safe Harbor Framework is no longer adequate.
The Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA have already published statements on the CJEU’s judgment explaining that they will work with other EU DPAs to issue further guidance for businesses and clarify the impact of the judgment on businesses.
For a summary, please see the press release of the CJEU.