Schrems will from now be one of those names that lose contact with the individual carrying it, and are doomed to epitomize a radical shift in legal frameworks. Just what happened to Mr. Bosman (who not many may remember as a – not bad indeed – footballer but many would associate with the judgment that declared the illegality of limitations to the free circulation of EU sport professionals), or to Mr. Manfredi (a car owner like millions, whose law-suit against cartelised insurance companies for damages compensation triggered yet another landmark judgment of the EUCJ). These names are now useful keywords for law practitioners, seeking the case law on the Internet. I think however Mr. Schrems will not object to this usage of his personal data (even though the right to be forgotten is there looming in the back).
The most interesting part of the EUCJ’s judgment is not that it killed the Safe Harbour scheme, as a viable solution for the flow of data. Actually, the words sentencing the Safe Harbour to death after the Snowden’s revelations concerning the Prism program had been written since April 2014, when the EUCJ released its judgment in Digital Rights Ireland (joined cases C-293/12 and C-594/12). On this basis, in an article published in June this year (which can be found here) I in fact stated that the outcome of the Schrems’ case was not too difficult to predict.
Probably the interesting point of the Schrems’ judgment is first the recognition that Data Protection authorities are not bound by a Commission’s adequacy finding and can indeed object to it.
Maybe even more interesting is how the Court decided to quash the Safe Harbour. The gist of the judgment is in paragraphs 96 to 98. After articulating in the preceding paragraphs how harmful the USA’s telecommunication mass surveillance practices can be for the citizen’s fundamental rights to personal data protection, the Court’s surprisingly halts itself a millimetre before drawing the most obvious conclusion on those premises, i.e. that the Safe Harbour principles are not adequate. Instead the Court has opted for a formalistic argument, finding that, “…The Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid”.
This line of reasoning may have been suggested by a sort of diplomatic hesitation. The thing is however that this reasoning leaves no room in the Court’s judgment for those commentaries, which I have read, that seem to question the EUCJ’s authority to invalidate an international agreement. I should add that it is at least doubtful that Safe Harbour can qualify as an international agreement/treaty in a legal sense. True that it was negotiated between US and EU authorities. However, in the end, it had the form of a scheme that US companies can voluntarily adopt. The scheme was internalized within the EU legal system not by way of ratification but by way of a unilateral “adequacy” decision (no. 2000/520) of the Commission, adopted pursuant to article 25(6) of Directive 95/46. Even more bemusing are those commentaries stating that the Safe Harbour is still a viable solution for data transfers, because it would now be up to national DP’s authorities to evaluate the adequacy. As if the EUCJ’s judgments were not binding for all Member States and their bodies.
To sum up, the EUCJ’s decision in the Schrems case does not come unexpected. However, it is not totally reassuring as an outcome. The trade relations between the US and the EU are of dramatic importance, and so is the data flow. US enterprises are not only scary big data, but are digital champions, who have made the life of EU consumers better. The solution must be political, and the protection of citizens’ personal data from the illegal interference of intelligence services must be remain high up in the agenda of political leaders, until a solution is found. At present, the outcome of the Schrems case might be that of creating an entrenched regional Internet, requiring that data stay in EU’s data centres, thereby ignoring the complexity of essential digital services (like cloud based services) and running counter to the original idea of an open Internet leading to an interconnected World. This would be a protectionist move, a leap backword.