In Case C-362/14 Maximillian Schrems v Data Protection Commissioner, Advocate General Bot has published his Opinion (full text here), which aims to provide guidance to the Court of Justice of the European Union. His Opinion amounts to a clear condemnation of the suggestion that the access to data transferred to the USA by the US security services can be consistent with the principles of safe harbour.
Background
The case was referred to the CJEU by the High Court of Ireland, which asked the following question:
Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC ) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/01), the provisions of Article 25(6) of Directive 95/46/EC notwithstanding?
Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?
This referred question was the result of objections from Maximillian Schrems, an Austrian citizen. He had been a Facebook user since 2008 and, as with every other subscriber residing in the EU, some or all of the data provided by him to Facebook had been transferred from Facebook’s Irish subsidiary to servers located in the USA and then kept there. Mr Schrems lodged a complaint with the Data Protection Commissioner in Ireland, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services, the law and practices of the USA offer no real protection against surveillance of the data transferred to that country. His complaint was rejected, on the grounds, in particular, that in a decision of 26 July 20002 (Decision 2000/520) the Commission considered that, under the ‘safe harbour’ scheme, the USA ensures an adequate level of protection of the personal data transferred.
Opinion
According to Advocate General Bot, the Commission decision finding that the protection of personal data in the USA is adequate does not prevent national authorities from suspending the transfer of the data of European Facebook subscribers to servers located in the USA. The Advocate General considers furthermore that the Commission decision is invalid.
The Data Protection Directive provides that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of data protection. The Directive also provides that the Commission may find that a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.
The Advocate General states first of all that, in the light of the importance of the role played by the national supervisory authorities with regard to data protection, their powers of intervention must remain intact. If the national supervisory authorities were absolutely bound by decisions adopted by the Commission, this would inevitably limit the total independence to which they are entitled under the Directive. The Advocate General thus draws the conclusion that, if a national supervisory authority considers that a transfer of data undermines the protection of citizens of the EU as regards the processing of their data, it has the power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision. The power conferred by the Directive on the Commission does not affect the powers which the Directive has conferred on the national supervisory authorities. In other words, the Commission is not empowered to restrict the powers of the national supervisory authorities.
While the Advocate General acknowledges that the national supervisory authorities are legally bound by the Commission decision, he considers, however, that such a binding effect cannot require complaints to be rejected summarily, that is to say, immediately and without any examination of their merits, in particular as the competence to find that a level of protection is adequate is one that is shared between the Member States and the Commission. A Commission decision does, admittedly, play an important role in ensuring uniformity in the conditions governing transfers that are applicable within the Member States, but that uniformity can continue only while that finding is not called into question. That finding can be called in question by a complaint which the national supervisory authorities must deal with under the investigative and banning powers that they are granted by the Directive.
Furthermore, according to the Advocate General, where systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data.
Given the doubts expressed during the proceedings as to the validity of the Commission’s Decision 2000/520, the Advocate General considers that the Court should determine this issue and he comes to the conclusion that the decision is invalid. It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the USA allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection. Those findings of fact demonstrate that the Commission Decision does not contain sufficient guarantees. Owing to that lack of guarantees, that Decision has been implemented in a manner which does not satisfy the requirements of the Data Protection Directive or the Charter.
The Advocate General considers furthermore that the access enjoyed by the US intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the USA amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.
According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the US intelligence services is mass, indiscriminate surveillance. Indeed, the access which the US intelligence authorities may have to the personal data covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued. The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the USA, breaches of the principles for the protection of personal data committed by public actors, such as the security agencies, in respect of citizens of the EU.
Given such a finding of infringements of the fundamental rights of citizens of the Union, according to the Advocate General, the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the USA in order to put an end to the shortcomings found. The Advocate General indeed observes that, when the Commission decided to enter into negotiations with the USA, it did so because it considered that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation.
What now?
This is a clear and uncompromising Opinion. It will shake many in the technology industry and will certainly give new impetus to the ongoing negotiations over safe harbour. But the Advocate General’s Opinion is not binding on the CJEU and a number of high profile cases have seen the Court’s judges part company with a previously published Advocate General’s Opinion.
Max Schrems reaction can be found here: http://www.europe-v-facebook.org/GA_en.pdf. As you may expect, he welcomes the Opinion and includes a reaction that anticipates reactions from other quarters: ‘The approach the advocate general has proposed is balanced and protects the fundamental rights of the users and the free flow of data. I am sure lobby groups will again predict the ‘end of the internet’. In fact this case only addresses outsourcing of data from a European to a US company if the data is shared for mass surveillance.’
John Higgins, Director General of DIGITALEUROPE, said:
We are concerned about the potential disruption to international data flows if the Court follows today’s Opinion. In addition to the disruption a Court ruling would have on international data flows, it would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU. …the Safe Harbour mechanism …is used by about 4,500 companies to transfer a wide range of commercial data such as payroll and customer data. The disruption to international data flows could be felt far beyond the transfers to the US under Safe Harbour. Other similar instruments – such as model contract clauses and adequacy decisions – that underpin data transfers to many third countries may also be impacted if the Court follows the Opinion of its Advocate General.