19/10/15

The Commission's US Safe Harbour Decision invalidated by the CJEU

On 6 October 2015 the Court of Justice of the European Union (hereafter CJEU) rendered a major decision by reaffirming the importance of the protection of personal data including when transferring these data outside the European Union (Maximillian Schrems v Data Protection Commissioner, C-362/14)[1]

BACKGROUND

Maximillian Schrems is an Austrian citizen and a Facebook user since 2008. As with all EU-resident Facebook members, data he provides to Facebook is transferred from their Irish subsidiary to US servers where it is processed.[2]
On June 2013, Mr Schrems filed a complaint against “Facebook Ireland” with the Irish Data Protection Commissioner (“DPC”) regarding the transfer of his data from Facebook Ireland Limited to Facebook Inc in the US. In his complaint, Mr Schrems specifically requested the DPC to review the validity of the Safe Harbour Decision and, if necessary, to seek a preliminary ruling from the ECJ.

What is the Safe Harbour Decision?
EU Directive 95/46/EC[3] on the protection of personal data indicates that only the transfers of personal data from a Member State to a third country with an adequate level of protection are authorised. In this respect, the main objective of the Safe Harbour executive Decision[4] negotiated in the late 90s between the US authorities and the European Commission was to confirm that where US companies participate in the Safe Harbourscheme, data is adequately protected. The Safe Harbour agreements are one of the legal instruments most used by companies established in Europe to transfer data to the United States.

The DPC rejected this complaint in July 2013, on the ground of the Safe Harbour Decision.

The High Court of Ireland, before which the case has been brought in March 2014, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and,where appropriate, from suspending the contested transfer of data.

KEY POINTS OF THE JUDGMENT

Following the Opinion of the Advocate General published on 23 September[5] the Court of Justice rendered its judgment on 6 October 2015.

Powers of National Supervisory Authorities
In its judgment the CJEU holds that the rights relating to the protection of personal data form an integral part of the system of fundamental rights of the European Union and “that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive” [6]. Consequently, the data protection authorities, as described in Article 28 of Directive 95/46/EC[7] must always have the possibility to investigate, in complete independence, regarding a complaint alleging that a third country does not ensure an adequate level of protection for personal data transferred.

Validity of U.S.-EU Safe Harbour Decision
In its judgment, the CJEU also assessed the validity of the Safe Harbour Decision.

  • “The Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements”;
  • “The Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law”;
  • “Finally, the CJEU stated that the Safe Harbour Decision denies the national supervisory authorities their powers”[8].

For all of the reasons set forth above, the CJEU declared the Safe Harbour Decision invalid.
The Luxembourg Ministry of Justice has specified that “the invalidation of the Safe Harbour regime, although having an impact on all stakeholders concerned, does not preclude transfers to the US taking place on the basis of other mechanisms (Binding Corporate Rules, standard contractual clauses, contract, consent etc)”.[9]

Next steps
Following the judgment of the CJEU, the Irish supervisory authority is required to examine “Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data”. The Irish High Court set the date for the national decision on 20th October 2015.

The Court of Justice of the European Union judgment reinforces the need for rapid adoption of EU data protection reform - according to the Luxembourg presidency which remains committed to the objective of finalising this reform by the end of the year[10] - and the confirmation of the European Commission's approach for the renegotiation of the Safe Harbour[11].

Footnotes

[1] CJEU judgment: Judgment in Case C-362/14, Maximillian Schrems v Data Protection Commissioner

[2] CJEU summary of the judgment : Court of Justice of the European Union, press release No 117/15, Luxembourg, 6 October 2015

[3] EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 - 0050

[4] Commission 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, Official Journal L 215 , 25/08/2000 P. 0007 - 0047

[5] CJEU Opinion: Opinion in Case C-362/14, Maximillian Schrems v Data Protection Commissioner

[6] CJEU Summary of the judgment : Court of Justice of the European Union, press release No 117/15, Luxembourg, 6 October 2015

[7] EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 - 0050

[8] CJEU Summary of the judgment : Court of Justice of the European Union, press release No 117/15, Luxembourg, 6 October 2015

[9] Luxembourg Ministry of Justice - Court judgment reinforces the need for rapid adoption of EU data protection reform:  http://www.gouvernement.lu/5300667/06-protection-donnees

[10] Luxembourg Ministry of Justice - Court judgment reinforces the need for rapid adoption of EU data protection reform : http://www.gouvernement.lu/5300667/06-protection-donnees

[11] European Commission – Statement - Speaking points of First Vice-President Timmermans and Commissioner Jourová First Vice-President Timmermans and Commissioner Jourová 's press conference on Safe Harbour following the Court ruling in case C-362/14 (Schrems): http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm

dotted_texture