Judgment of the Court of Justice of the European Union of 6 October 2015 in case C-362/14 Maximilian Schrems v Data Protection Commissioner

Background of the case

The Data Protection Directive 1 provides that European companies may only transfer personal data to a country outside the European Economic Area (EEA) if such ‘third country’ affords an adequate level of personal data protection. This adequacy can be established in a number of ways, one of which is a decision to that effect of the European Commission by reason of the third country’s domestic law or of the international commitments it has entered into.

On 26 July 2000, the European Commission adopted a decision (the ‘Safe Harbour Decision’) declaring that United States companies that voluntarily adhered to the US Safe Harbour Principles, a self-certification system, ensure an adequate level of protection.

In addition, the Data Protection Directive provides that EU Members States shall designate one or more public authorities to monitor compliance with internal legislation implementing the Directive.

Dispute

In 2013, following Edward Snowden’s leaks concerning the US National Security Agency, an Austrian citizen named Maximilian Schrems lodged a complaint with the Irish supervisory authority on account of personal data related to his Facebook profile being transferred from Facebook’s subsidiary in Ireland to servers based in the US, a country which could not, in his opinion, offer an adequate level of protection.

The Irish supervisory authority rejected the complaint on the grounds of the existence of the Safe Harbour Decision. The High Court of Ireland, before which the case is pending on appeal, decided to refer the matter to the CJEU for a preliminary ruling on whether the Safe Harbour Decision prevents national supervisory authorities from examining a complaint alleging that a third country does not afford an adequate level of personal data protection.

Judgment

On 6 October 2015, the CJEU has delivered a judgment which follows the opinion given by Advocate General Yves Bot, published only two weeks ago (a surprisingly short period of time).

First, the CJEU has clearly stated that national supervisory authorities cannot be prevented from investigating a complaint by virtue of a decision of the European Commission as this could reduce or even remove the powers available to these national authorities pursuant to the Data Protection Directive and the EU Charter of Fundamental Rights. Therefore, even if the Commission has adopted a decision, national supervisory authorities must be able to examine with total independence whether the transfer of an individual’s personal data to a third country complies with the requirements laid down by the Directive.

Nevertheless, the CJEU points out that it alone has jurisdiction to decide on the validity of an EU act, and reaches the conclusion that when examining the safe harbour scheme, the European Commission did not carry out an analysis on whether the US effectively ensures, by way of its domestic law or international commitments, a level of protection of fundamental rights equivalent to that guaranteed in the EU for personal data protection.

Finally, the CJEU has assessed the validity of the Safe Harbour Decision concluding that US legislation does not comply with the EU Charter of Fundamental Rights.

  • On the one hand, the fact that US legislation allows for a generalized storage of all personal data without any differentiation, limitation or exception pursuant to the objective sought and without an objective criterion for determining the limits of access to the public authorities, compromises the fundamental right to respect for private life.
  • On the other hand, the fundamental right to effective judicial protection would also be compromised since US legislation does not provide individuals with legal remedies to access, rectify or erase personal data.

In the light of these findings, the CJEU concludes that the Safe Harbour Decision is invalid. The Irish regulatory authority shall now examine the issue and take a decision on the data transfers from Facebook Ireland to its parent company in the US.

Position of the Spanish Data Protection Agency (SDPA)

For the SDPA, “the judgment, the implications of which mark a turning point in the way international data transfers to the US are made, reaffirms the importance of privacy and data protection, fundamental rights that should enjoy the greatest possible guarantees”

The SDPA points out that some European Data Protection Authorities observed deficiencies in the Safe Harbour and expressed these in several letters and opinions. Now, according to the SDPA, such authorities have planned coordinate actions in order to analyse the judgment’s implications and the national actions which will be carried out, ensuring a consistent application in all EU countries.

What to expect now

Given the loophole that has been created - and whilst waiting for the European Commission and, where appropriate, Data Protection authorities to give indications on how to proceed - entities could proactively take the following steps: (i) identify the notifications made to date under the safe harbour scheme if additional precautionary measures have to be implemented; and (ii) if there is a need to transfer data to the US, obtain prior authorisation for international data transfers, with all that that implies.