The Court of Justice of the European Union (CJEU) has today handed down its judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
This states that:
- a Commission decision on the 'adequate protection' offered by a non-EU member state cannot exclude or reduce the powers available to national data protection authorities to examine complaints brought to them by data subjects; and
- data protection authorities do not, themselves, have the power to invalidate a Commission decision. However, data protection authorities and data subjects can refer questions of validity to national courts, which, in turn, can refer the question to the CJEU. The CJEU does have the authority to declare Commission decisions to be invalid.
The CJEU also finds the Commission's US Safe Harbor Decision to be invalid because:
- the decision contains a derogation which allows safe harborites to share data for national security purposes. However, the agencies with whom data are shared fall outside the safe harbor scheme and the Safe Harbor Decision does not address whether there is adequate protection for personal data so processed; and
- the Safe Harbor Decision sets too high a bar for data protection authorities to be able to intervene. This undermines the independence of data protection authorities. The Commission does not have the authority to do this.
Maximillian Schrems (an Austrian citizen) has been a Facebook user since 2008. Non-US Facebook users contract with Facebook Ireland, which, in turn, transfers such user data to its US servers.
Concerned by the Snowden 2013 revelations, Schrems complained to the Irish Data Protection Commissioner and asked the Irish Commissioner to investigate whether there was adequate protection for data transferred in this way.
The Irish Commissioner rejected this complaint on the basis of Commission decision 2000/520/EC of 26 July 2000 (the 'Safe Harbor Decision'). This provides that data may be transferred to US companies which participate in the 'Safe Harbor' scheme, on the basis that the scheme provides 'adequate protection'. The Irish Commissioner considered that he was, in effect, bound by this finding.
Schrems judicially reviewed the finding of the Irish Commissioner. The High Court of Ireland requested a preliminary ruling on the question of whether or not the Irish Commissioner was absolutely bound by the default position within the Safe Harbor Decision, notwithstanding the need to give effect to rights under the EU's Charter of Fundamental Rights 2000 (the 'EU Charter') and the Data Protection Directive (Directive 95/46/EC).
Opinion of Advocate General Bot
Advocate General (AG) Bot delivered his opinion on 23 September 2015. For more details, please see our previous article here.
Judgment of the CJEU
In today’s judgment, the CJEU stated that it alone has jurisdiction to declare that an EU act, such the Commission's US Safe Harbor Decision, is invalid.
Where a national authority or the person bringing the matter before a national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the CJEU if they too have doubts as to the validity of the Commission decision. It is thus ultimately the CJEU which has the task of deciding whether or not a Commission decision is valid.
Having conducted a review of the Commission's US Safe Harbor Decision, the CJEU considers it should be invalidated for the following reasons:
- The safe harbor scheme contains a derogation allowing personal data to be processed for US national security, public interest and law enforcement requirements, irrespective of the safe harbor principles.
- The Commission itself has admitted in two communications that (i) US authorities are able to access the transferred personal data in a way incompatible, in particular, with the purposes for which it was transferred and to an extent beyond that strictly necessary and proportionate for the protection of national security and (ii) affected individuals currently have no administrative or judicial means of redress enabling the data relating to them to be accessed and, as the case may be, rectified or erased.
- The CJEU referred to the tests set out in the Digital Rights Ireland case (C-293/12 and C-594/12) which addressed the legality of EU data retention legislation and noted that, inter alia, there would need to be clear and precise rules law relating to such activities and that data should only be processed where strictly necessary.
- In 2000, the Commission did not assess whether the US in fact ensured, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the Directive, read in the light of the Charter.
Accordingly, the decision is invalid.
The CJEU also confirmed that the Decision restricted the ability of data protection authorities to investigate, by setting the bar for intervention too high. The Directive requires that data protection authorities have independence in their activities and did not authorise the Commission to restrict this right. Accordingly, on this ground as well the CJEU finds the Safe Harbor Decision to be invalid.
The decision creates significant uncertainty for organisations who rely on safe harbor either for their own, internal data transfers, or because they use a service provider which, in turn, relies on safe harbor to provide adequacy for its transfers to the US.
Alternative methods of addressing data transfers will be needed - such as implementing EU Commission approved data transfer agreements, or obtaining individual consent.
Although the decision has invalidated safe harbor - with immediate effect - organisations will need to look to the reactions of national data protection authorities to determine how urgently to implement alternative data transfer solutions. For example, the UK Information Commissioner has already issued a measured press release today - noting that whilst alternative approaches will be needed, that they will be taking time to assess the situation - including by liaising with other EU data protection authorities.