CJEU: EU-Commission’s "US Safe Harbor" Decision Invalid

On 6 October 2015, the CJEU declared that the EU-Commission’s US Safe Harbour Decision is invalid. The CJEU alone has jurisdiction to declare an EU act invalid and this decision in the case of Maximillian Schrems v Data Protection Commissioner (C-362/14) affects all transfer of personal data into the USA under the umbrella of the "Safe Harbor" principles. Furthermore, the CJEU strengthened the powers of national supervisory bodies: Where a claim is lodged with the national supervisory authorities they may, even where the EU-Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity.

Facts of the Case

The Data Protection Directive provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The Directive also provides that the EU-Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the Directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the Directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the EU-Commission considered that, under the ‘safe harbor’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the "Safe Harbor" Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that EU-Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

The CJEU holds that the existence of a EU-Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the Directive. The CJEU stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

Competence of the CJEU

The CJEU states, first of all, that no provision of the Directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a EU-Commission decision. Thus, even if the EU-Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the Directive. Nevertheless, the CJEU points out that it alone has jurisdiction to declare that an EU act, such as a EU-Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a EU-Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the CJEU if they too have doubts as to the validity of the EU-Commission decision. It is thus ultimately the CJEU which has the task of deciding whether or not a EU-Commission decision is valid.

Validity of "Safe Harbor" Decision

The CJEU then investigates whether the "Safe Harbor" Decision is invalid. In this connection, the CJEU states that the EU-Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the Directive read in the light of the Charter. The CJEU observes that the EU-Commission did not make such a finding, but merely examined the safe harbor scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the CJEU observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the EU-Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The CJEU considers that that analysis of the scheme is borne out by two EU-Commission communications, according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the EU-Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the CJEU finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The CJEU adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the CJEU observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the CJEU finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The CJEU holds that the EU-Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the CJEU declares the "Safe Harbor" Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

(ga)

CJEU, decision of 6 October 2015 in case of Maximillian Schrems v Data Protection Commissioner (C-362/14)

CJEU, press release no. 117/15, 6 October 2015