CJEU, Opinion of Advocate General Bot in case C-362/14, 23 September 2015

CJEU: Advocate General’s Opinion Favours "Safe Harbor" Suspension

on 23 September 2015, the Advocate General Bot issued his Opinion in the case of Maximillian Schrems v Data Protection Commissioner (C-362/14) affecting all transfer of personal data into the USA under the umbrella of the "Safe Harbor" principles. According to his Opinion, the EU-Commission decision finding that the protection of personal data in the United States is adequate does not prevent national authorities from suspending the transfer of the data of European Facebook subscribers to servers located in the United States. Furthermore, the Opinion considers that the EU-Commission decision on "Safe Harbor" is invalid.

Facts of the Case

The Data Protection Directive provides that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of data protection. The Directive also provides that the EU-Commission may find that a third country ensures an adequate level of protection. If the EU-Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is kept. Mr Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency ‘the NSA’), the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbor’ scheme, the United States ensures an adequate level of protection of the personal data transferred.

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that EU-Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

Line of Argument by Advocate General

Advocate General Yves Bot takes the view that the existence of a EU-Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the Directive on the processing of personal data.

He considers furthermore that the EU-Commission decision is invalid.

No Power of EU-Commission to Limit National Supervisory Authorities

The Advocate General states first of all that, in the light of the importance of the role played by the national supervisory authorities with regard to data protection, their powers of intervention must remain intact. If the national supervisory authorities were absolutely bound by decisions adopted by the EU-Commission, which would inevitably limit the total independence to which they are entitled under the Directive. The Advocate General thus draws the conclusion that, if a national supervisory authority considers that a transfer of data undermines the protection of citizens of the EU as regards the processing of their data, it has the power to suspend that transfer, irrespective of the general assessment made by the EU-Commission in its decision. The power conferred by the Directive on the EU-Commission does not affect the powers which the Directive has conferred on the national supervisory authorities.

In other words, the EU-Commission is not empowered to restrict the powers of the national supervisory authorities.

Scope of EU-Commission's Decision's Binding Effect

While the Advocate General acknowledges that the national supervisory authorities are legally bound by the Commission decision, he considers, however, that such a binding effect cannot require complaints to be rejected summarily, that is to say, immediately and without any examination of their merits, in particular as the competence to find that a level of protection is adequate is one that is shared between the Member States and the Commission. A Commission decision does, admittedly, play an important role in ensuring uniformity in the conditions governing transfers that are applicable within the Member States, but that uniformity can continue only while that finding is not called into question, including in the context of a complaint which the national supervisory authorities must deal with under the investigative and banning powers that they are granted by the directive.

National Duty to Protect Fundamental Rights

Furthermore, according to the Advocate General, where systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data.

Invalidity of EU-Commission's Decision

Given the doubts expressed during the present proceedings as to the validity of Decision 2000/520, the Advocate General considers that the Court should determine this issue and he comes to the conclusion that the decision is invalid. It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection. Those findings of fact demonstrate that the Commission decision does not contain sufficient guarantees. Owing to that lack of guarantees, that decision has been implemented in a manner which does not satisfy the requirements of the directive or the Charter.

Infringement of Fundamental Rights by US Intelligence Services

The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.

Consequence: Inadequate Level of Data Protection in the USA

According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance. Indeed, the access which the United States intelligence authorities may have to the personal data covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued. The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.

Duty for EU-Commission to Suspend "Safe Harbor"-Decision

Given such a finding of infringements of the fundamental rights of citizens of the Union, according to the Advocate General the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found. The Advocate General indeed observes that, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation.

(ga)

Opinion of Advocate Yves Bot, delivered on 23 September 2015, case Maximillian Schrems v Data Protection Commissioner (C-362/14)

CJEU, Press Release No 106/15, 23 September 2015



Verlag Dr. Otto Schmidt vom 26.11.2015 11:31

zurück zur vorherigen Seite


Test subscription

 

Computer Law Review International

Subscribe now to CRi and secure the advantages of legal comparison for your practice: state-of-the-art approaches and solutions from other jurisdictions – every second month, six times a year.

Print (ordering option in German)

eJournal as PDF at De Gruyter