Those guest Kats just keep cropping up again, even after we think we've said goodbye. Not so long ago, Valentina Torelli was one of our three carefully selected guest colleagues -- and here she is again, this time with her take on an important data protection ruling from Europe's top court, a ruling that may not have made a lot of Americans very happy. Here's what she has to say:
Even as we await the new EU Regulation on data protection, which will supersede Directive 46/95 (the Data Protection Directive), the Court of Justice of the European Union (CJEU) ruled on 6 October 2015 on the reference for a preliminary ruling in Case C-362/14 Maximilian Schrems v Data Protection Commissioner, finding invalid the US-EU agreement on the processing of individuals’ personal data and the free movement of such data, the so called “Safe Harbour” scheme set out in Commission Decision 520/2000
The case stemmed from a complaint filed by an Austrian citizen, Maximillian Schrems, with the Data Protection Commissioner in Ireland, following the transfer to servers located in the US for processing at least some of the data that he had provided to Facebook in signing-up with Facebook’s Irish subsidiary. Schrems’ concerns originated from revelations that came to public light as part of the Snowden affair in 2013, when EU citizens became aware that US intelligence services, in particular the National Security Agency (‘NSA’) could gain access to the data transferred from the EU to the US without US law and practice limiting such surveillance activity.
The Data Protection Commissioner rejected Schrems’ complaint on the basis of Commission Decision 520/2000, which stated that the “Safe Harbour” scheme regulating privacy protection of data transferred from the EU to the US ensured an adequate level of protection in compliance with the Data Protection Directive. Schrems then took his complaint to the High Court of Ireland, which was asked to determine whether the powers conferred by the Data Protection Directive to both the national supervisory authorities and the Commission were cumulative or mutually exclusive The Court referred the following two questions to the CJEU for a preliminary ruling:
1. Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/01), the provisions of Article 25(6) of Directive 95/46/EC3 notwithstanding?
2. Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?The CJEU affirmed Advocate General Bot’s Opinion of 23 September 2015, holding that the existence of a Commission decision on the adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data and that the Commision’s Safe Harbour Decision was invalid.
First, the Court held that the mere existence of a Commission decision adopted under Article 25(6) of Directive 95/46, such as Decision 520/2000, which had found that, even if a third country ensures an adequate level of protection of the personal data transferred, a concerned individual may still bring a complaint with the national supervisory authorities. Such authorities are vested with powers under both Article 8(3) of the Charter of Fundamental Rights of the EU and Article 28 of the Data Protection Directive: such powers cannot be eliminated or even attenuated by a decision of the Commission. The Court stressed that the national supervisory authorities must be completely independent in examining whether the transfer of an individual’s data to a third country complies with the Data Protection Directive. This is so, irrespective of the existence of a previous Commission decision on the same issue.
The Court stressed that individuals such as Schrems, who believe that the Commission decision is invalid, as well as national authorities which have been vested with reviewing the matter of data protection, must both be given the right to bring that claim before the national courts. In turn, these courts may refer to the CJEU for a preliminary ruling, that court being the sole authority to determine the validity of a Commission decisions by virtue of Article 263 TFEU.
The Court then considered whether US law and practice regarding the processing of personal data comply with the requirements and guarantees contained in the EU Data Protection Directive and in the Charter. The Court answered—“no". The Commission had merely stated that the Safe Harbour scheme was acceptable under the principles set out by the Data Protection Directive, without analyzing whether the US data protection legislation as such offered the adequate level of protection to EU citizens.
According to the Court, the Safe Harbour is not in line with EU data protection rules. The purpose of the Safe Harbour scheme was to create a framework for US-EU data protection whereby
“organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure”.The scheme would apply only to US undertakings, which could disregard its provisions in the event of a conflict with national security, the public interest or law enforcement, all of which came before data protection on a sliding scale of priorities. Further, US public authorities such as the NSA are not even subject to the Safe Harbour scheme.
Finally, the Court observed that Commission Communications 846/2013 and 847/2013 showed that the processing of EU personal data in the US by US authorities went beyond what was strictly necessary and proportionate for the protection of national security. At the same time, concerned individuals had no means of redress to access, rectify and eventually erase their data. Finally, the Court observed that those same Commission Communications showed that the processing of EU personal data in the US on the part of US authorities went beyond what was strictly necessary and proportionate for the protection of national security: concerned individuals had no means of redress to access, rectify and eventually erase their data. The Court thus found that there was no equivalent level of protection f for the fundamental rights and freedoms guaranteed in the EU, by which the right to privacy under EU law can be derogated by the collection, storage and processing of personal data only when strictly necessary.
The Court added that, in the EU,
”[l]egislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail”.This being so, Shrems’s fundamental right to privacy and to effective judicial protection were compromised by the Safe Harbour Decision. This was so because the decision, in confirming the Safe Harbour framework which provided that all EU Member States would be bound by the European Commission’s finding of “adequacy” of the scheme, did not enable the national authorities to verify that the Safe Harbour principles, as implemented in for the US, were limited to what was strictly necessary. The Data Protection Commissioner thus had the power to examine Schrems’ case thoroughly in deciding whether the transfer to the US of data obtained from Facebook subscribers in Europe should be suspended, if there were found to be an inadequate level of protection of personal data.