An Unsafe Harbour: Schrems v. Data Protection Commissioner, C‑362/14

Last week’s decision of the European Court of Justice in Schrems v. Data Protection Commissioner, C-362/14 deemed invalid an important self-certification regime for companies transferring personal data to the United States from the European Union. Several aspects of the decision are of general interest.

Schrems is an Austrian student who, like most of us, has a Facebook account. He objected to Facebook’s practice of transferring users’ personal data from Europe to the United States, especially in light of recent revelations about the National Security Agency’s practice of trawling through data in order to identify security risks. Schrems asked Ireland’s Data Protection Commissioner to investigate.

The Commissioner refused to do so. Although an E.U. Directive provides that “the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if…the third country in question ensures an adequate level of protection” and that national supervisory authorities in the E.U. member states “shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data” (Directive 95/46/EC, arts. 25.1, 28.4), there is a provision which allows the European Commission to find that a third country “ensures an adequate level of protection” (ibid., art. 25.6). Pursuant to this provision, the Commission made a finding that self-certified compliance with a set of “safe harbour privacy principles” secured an adequate level of protection. Facebook benefited from the safe harbour. Hence the Irish Data Protection Commissioner’s conclusion that an investigation was not possible.

On a reference to the European Court of Justice from a very skeptical Irish High Court (Hogan J., [2014] IEHC 310), however, a different view of the matter was taken.

First, the European Commission decision to create a safe harbour did not tie the Data Protection Commissioner’s hands completely. While the Commissioner could not question the validity of the decision (at para. 52), “the oversight of transfers of personal data to third countries” remained within the “sphere of competence” of national supervisory authorities (at para. 54). To find otherwise would be to deny an individual effective recourse for a violation of his fundamental rights of privacy and data protection (guaranteed by articles 7 and 8 of the European Charter). After all, “ the European Union is a union based on the rule of law in which all acts of its institutions are subject to review of their compatibility with, in particular, the Treaties, general principles of law and fundamental rights” (at para. 60). Accordingly, where an individual “lodges with a national supervisory authority a claim concerning the protection of his rights and freedoms in regard to the processing of that data and contests…the compatibility of that decision with the protection of the privacy and of the fundamental rights and freedoms of individuals, it is incumbent upon the national supervisory authority to examine the claim with all due diligence” (at para. 63). Of general interest here is the narrow construction of the scope of the European Commission’s decision, influenced amongst other things by the fundamental principle that individuals should have access to independent decision-makers in order to ensure compliance with the law. It is worth noting that the independent decision-maker here was an administrative agency, rather than a court, and that the question of compliance concerned a private party in large part.

Second, the safe-harbour decision was invalid. Adequate protection meant “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” (at para. 73), but the European Commission’s decision was insufficient to establish this. In particular, the principles were subject to override by reference to American national interest considerations and statutory provisions (at paras. 84-86), overrides against which an individual had no meaningful recourse (at, e.g., para. 90). Indeed, the decision “does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States…” (at para. 88). As a result, the interference with private life and personal data was disproportionate:

Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail (at para. 93).

Moreover, “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection…” (at para. 95). Of general interest here is that the European Commission’s decision was essentially inadequately reasoned and struck down as invalid; and again the right of access to an independent adjudicator (here, a judicial body) was very important in the Court of Justice’s chain of reasoning. 

 

This content has been updated on October 13, 2015 at 14:15.