The Advocate General, Yves Bot, of the Court of Justice of the European Union (CJEU) last week delivered his opinion in the Maximillian Schrems v Data Protection Commissioner Case, C-362/14 (the Opinion). The Opinion, which is advisory in nature, recommends that the Safe Harbour programme be invalidated and that the Irish Data Protection Commissioner (the DPC) be empowered to carry out a full investigation as to the adequacy of protection afforded to the personal data of Facebook's EU users.
Background to the Opinion
The EU Data Protection Directive (Directive 95/46/EC) (the Directive) prohibits the transfer of personal data to countries or territories outside the European Economic Area (EEA) unless those countries are considered to provide an "adequate level of protection". In this regard, the European Commission (the Commission) has the power under Article 25(6) of the Directive to make findings in relation to the adequacy of protection provided by third countries. Specifically:-
- The Commission can find that a particular country does provide an adequate level of protection under its laws (so called "White Paper" countries); OR
- The Commission can negotiate international commitments with a country that it finds does not provide an adequate level of protection under its laws and make a finding based on those international commitments that the country does provide an adequate level of protection.
The US has not been included on the EU's list of approved countries, however, on 26 July 2000 the Commission made a finding - Decision 2000/520 (the Commission Decision) - of adequate protection in respect of transfers to the US where the recipient is certified under the "Safe Harbour" programme, a self-certified standard of protection enforced by the US Federal Trade Commission.
Over 3,000 US corporations have certified under the Safe Harbour programme and many rely on the Commission Decision as the principal basis for legitimating transfers made to them by their European subsidiaries and business partners.
Challenge to Facebook Ireland
In light of the revelations by Edward Snowden about alleged mass surveillance by US intelligence services of EU citizens' personal data, an Austrian law student, Max Schrems, filed a complaint with the DPC objecting to the transfer by Facebook Ireland of his personal data to Facebook Inc.'s servers in the US on the basis that the US does not ensure adequate protection of his personal data.
The DPC dismissed Mr Schrems' complaint on the grounds that the Commission Decision was binding and precluded him from investigating the matter further. Mr Schrems challenged this determination before the Irish High Court which requested the CJEU to rule on whether the DPC was absolutely bound by the Commission Decision. In particular, the High Court sought guidance on whether the DPC could look beyond or disregard the Commission Decision in light of the Snowden revelations and the coming into force of the EU Charter of Fundamental Rights (the Charter) since the Commission Decision was made.
The Opinion recommends that the CJEU make the following rulings:
- That national data protection authorities in EU member states (such as the DPC) have the power to investigate complaints alleging that a third country is not ensuring the protection of personal data transferred to that state from the EU together with the power to suspend such transfers and that these powers can be exercised regardless of any adequacy finding by the Commission; and
- That the Commission Decision be declared invalid on the basis that it fails to respect Article 7 (right of privacy) and Article 8 (right to protection of personal data) of the Charter.
Possible CJEU Outcomes
The Opinion is not legally binding and the CJEU is entitled to reach a different conclusion. Nevertheless, the strongly worded Opinion of the Advocate-General does cast doubts over the legal basis of many transatlantic data flows. In assessing the potential consequences of the CJEU ruling, it is important to recognise that there are two distinct legal questions raised:
- Is the Commission Decision a binding finding on the adequacy of protection afforded by US companies that are certified under the Safe Harbour programme?
- Is the Commission Decision valid, irrespective of its binding nature?
Thus, we believe that there are three possible ways for the CJEU to rule, each of which will have quite distinct consequences.
(a) Safe Harbour is Invalid
A declaration of invalidity would have serious and immediate consequences. Most importantly, it would mean that a Safe Harbour certification could no longer be relied on to legitimise a transfer of personal data from the EU to the US. This could mean that some data transfers would no longer have a valid legal basis under EU law. However, it is likely that potentially impacted companies will put in place arrangements (see next section) so that they are in a position to rely on alternative legal grounds for justifying their transfers of personal data to the US.
If the CJEU rules that the Commission Decision is invalid, then the question of whether it is binding in nature becomes moot. In such circumstances, the likelihood is that the Irish High Court would direct to the DPC to investigate Mr Schrems' complaints and to have regard to the Article 7 and 8 Charter rights in carrying out that investigation.
It should be noted that the Irish High Court did not seek a ruling on whether the Commission Decision was valid, but instead the Advocate General recommended that the CJEU make such a finding on its own motion. It is therefore quite possible that the CJEU will refrain from ruling on the validity of the Commission Decision. The fact that the Commission and the US authorities are currently renegotiating the Safe Harbour programme to take account of the Snowden revelations may mean that the CJEU will not see a need to consider the validity of the Commission Decision in its present form
(b) Safe Harbour is Valid but Non-Binding
If the CJEU rules that the DPC can "look behind" the Commission Decision (without questioning its validity) and investigate whether or not adequate protection is provided notwithstanding a Safe Harbour certification, then the following is likely to result:
- The Irish High Court would order the DPC to carry out a full investigation of Mr Schrems' complaints taking account of his Article 7 and 8 Charter rights and the facts surrounding the Snowden revelations. One major problem with any such investigation is that orders made by the US Foreign Intelligence Surveillance Act (FISA) Court against individual companies are secret and granted on an ex parte basis (a fact already acknowledged by the Irish High Court). It is not apparent therefore whether the DPC will be able to carry out a meaningful investigation into Mr Schrems' complaints.
- There will be no immediate invalidation of data transfers to companies that rely on a Safe Harbour certification. Such transfers will continue to be presumptively lawful until such time as a finding was made by the DPC (or some other national data protection regulator) that an adequate level of protection is not provided by companies that rely on the Safe Harbour regime
- US information service providers that rely on Safe Harbour would be vulnerable to complaints similar to those made by Mr Schrems.
(c) Safe Harbour is Valid and Binding
If the CJEU upholds the validity and binding nature of the Commission Decision, then it is likely that the Irish High Court will conclude that the DPC was correct in its decision not to investigate Mr Schrems' complaints. Of course, negotiations between the US and EU on a replacement to Safe Harbour will continue, so the subject matter of Mr Schrems' complaints will remain current.
Alternatives to Safe Harbour
The Safe Harbour regime is not the only means of ensuring that transfers of personal data from the EU to the US are lawful. Alternative methods include the Model Contractual Clauses or Binding Corporate Rules (BCRs) mechanisms. Therefore this is an opportune time for businesses to consider the suitability of these alternative structures. However, it must be said that some aspects of the Advocate General's Opinion are so wide-ranging that, if followed by the CJEU, they could call into question the underlying validity of any transfer of personal data to the US where there is a potential for such data to be the subjected the Foreign Intelligence Surveillance Act.
What Happens Next?
The ruling of the CJEU will determine whether or not the recommendations contained in the Opinion will become binding law. Most commentators expect the CJEU's judgment within the next 3 to 6 months. In parallel to the progress of this case, political discussions have been ongoing for some time in relation to amendments to the Safe Harbour regime and it is reported that these are at an advanced stage. It will be interesting to see whether the Opinion will have an impact on such discussions.
The Opinion is accessible here.