On 23 September 2015, Advocate General Bot of the Court of Justice of the EU delivered his Opinion in Schrems v Data Protection Commissioner (Case C‑362/14). The Opinion grabbed headlines, because it concluded that US data protection rules – the so-called Safe Harbour principles, which allegedly permit the wholesale disclosure of EU citizens’ data to the National Security Agency – unlawfully breach EU privacy rights, and are invalid. This part of the Opinion has already been discussed at length in the press, so we do not propose to go over it here.
While the invalidity of the Safe Harbour decision grabbed headlines, there is another aspect of the Opinion which could, if adopted, have potentially more far reaching legal effects. The AG expressed the view that Commission Decisions on the adequacy of a third country’s data protection law were “not absolutely binding” on national data protection authorities (“DPAs”). Even where the Commission had approved the data protection regime of a non-EU state, national data protection authorities were nevertheless required to investigate complaints about alleged shortcomings in that state’s protections. Where, in the view of the national DPA, these protections were inadequate, the national DPA is required to suspend the transfer of data to that state.
The AG reached this conclusion on the basis that the principle of the independence of national DPAs – stated in the Data Protection Directive, and alluded to in Article 8 of the Charter of Fundamental Rights – means that national DPAs’ powers to investigate cannot be limited by decisions adopted by the EU Commission in relation to third country transfers. Despite secondary legislation adopted by the Commission, national DPAs retain the power to independently assess compliance with fundamental rights.
If adopted, this part of the Opinion would have a major impact on the uniform application of data protection rules across the EU. One consequence of the Opinion is that the transfer of employee data from EU affiliates to a US parent company under Safe Harbour rules (or, indeed, any revised Safe Harbour agreement) may be permitted by some national DPAs, but prohibited by others. Businesses operating across EU jurisdictions could, therefore, be faced with a multiplicity of investigations and differentiated national regulatory requirements relating to third country transfers. This would be a significant set-back in terms of legal certainty.
More fundamentally, such a ruling by the CJEU would represent a significant departure from the traditional understanding of basic EU law principles. The proposition that national authorities have a discretion to disapply EU legislation where necessary to protect fundamental rights (a power that is not even enjoyed by national Supreme Courts) appears to conflict with the long-standing approach of the CJEU to the supremacy of EU law over national law.
The Opinion also appears to confer the principle of the independence of data protection authorities with an elevated status within the EU constitutional order. The AG takes the view that the principle of DPA independence prohibits the Commission from adopting secondary legislation which constrains the ability of national DPCs to take independent decisions. It is difficult to reconcile this view with the ordinary understanding of the relationship between the EU legislator and national administrative bodies. It is also difficult to understand how a Commission Decision can be characterised as “not absolutely binding”, in light of the established principles governing the legal effect of EU legislative acts.
If accepted, the AG’s Opinion is likely to require revisions to the draft General Data Protection Regulation, currently being negotiated between the EU Member States, Commission and Parliament. The draft Regulation is based on the assumption that it is possible to delegate to the Commission the power to adopt secondary legislation which binds national data protection authorities. Several clauses in the draft Regulation – for example, those governing model contractual clauses and adequacy decisions – are designed to permit such binding decisions. In addition, the latest drafts of the General Data Protection Regulation put significant focus on measures intended to align the positions of various national DPAs through the so called “consistency mechanism” and the European Data Protection Board. These measures may now be legally suspect, given the AG’s comments on the importance of the “absolute independence” of national DPAs.
In short, many aspects of the GDPR may need to be revisited should the CJEU chose to adopt theSchrems Opinion. At the very least, the Opinion may delay the adoption of the GDPR since the negotiators may need to wait for clarification from the Court on some of the difficult issues raised by the AG.