The Advocate General of the European Court of Justice has delivered his non-binding legal opinion in Schrems v. Data Protection Commissioner, a case brought by an Austrian citizen against the Irish Data Protection Commissioner concerning the transfer of Facebook data to US servers. Professor Lorna Woods, University of Essex, reports and comments on the opinion – and its potential implications.
The Data Protection Directive imposes relatively high standards of data protection on those processing data in the EU. It also prohibits the transfer of data to non-EU countries unless an adequate level of protection for the processing of data is ensured there too. Under Article 25(6) of the Data Protection Directive, the Commission can determine that a third country ensures an adequate level of protection of personal data by reason of its domestic law or of the international commitments it has entered into. Should the Commission adopt a decision to that effect, transfer of personal data to the third country concerned would be permissible.
The Commission adopted Decision 2000/520 pursuant to that provision accepting that the ‘Safe Harbor’ system in the United States provided a satisfactory level of protection. It sets out certain principles but mainly operates on a basis of self-certification, although the US authorities may intervene. A number of mechanisms, combining private dispute resolution and oversight by the public authorities, exist to check compliance with the ‘safe harbor’ principles.
Decision 2000/520 permits the limitation of these principles, ‘to the extent necessary to meet national security, public interest, or law enforcement requirements’ and ‘by statute, government regulation, or case law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’. The reference concerns the legitimacy of these arrangements in the light of the Data Protection Directive and the EU Charter of Fundamental Rights.
The case was originated by an Austrian national who had signed up to Facebook, run in Europe by Facebook Ireland. All data is however transferred to the US parent company. Following the Snowden revelations, Schrems challenged the level of protection in the USA against state surveillance with reference in particular to the PRISM programme under which the NSA under which it obtained unrestricted access to mass data stored on servers in the United States.
The Irish Data Protection Commissioner refused to investigate the complaint as according to the Irish statute, Decision 2000/520 of the Commission was final (s. 11(2)(a) Data Protection (Amendment) Act 2003). The decision was reviewed before the High Court which found that if the matter were to be determined solely by Irish law, s. 11(2)(a) would end the matter. It recognised, however, that implementation of EU law must be carried out in the light of the EU Charter. The High Court then referred questions to the Court of Justice as to whether the Data Protection Commissioner was absolutely bound by Decision 2000/520.
Opinion of Advocate-General
Competence of the Irish Data Protection Commission
The Data Protection Commissioner argued that its responsibility relates to the implementation of the Irish legislation in particular cases of application of the rules; conversely, the assessment of adequacy of the US system overall is the responsibility of the European Commission. Section 11(2)(a) reflects this division and meant that the Irish Data Protection Commission could not act on Schrems’s complaint.
Given the important role of the national authorities in the overall system of protection (para 63), AG Bot concluded that power conferred by the Data Protection Directive on the Commission does not affect the powers which the Directive has conferred on the national supervisory authorities, so a national regulator could investigate matters notwithstanding the Commission’s decision (para 61). Art 8(3) of the Charter, which occupies ‘the highest level of the hierarchy of rules in EU law’ (para 72) requires independence (see also Case C-288/12 Commission v. Hungary and Case C-293 and 594/12 Digital Rights Ireland) and it would be this quality that would be curtailed were national authorities not able to investigate a claim on its merits.
So, while the Commission plays an important role in ensuring uniformity of approach across EU Member States and its decision is binding, this cannot justify a summary dismissal of a complaint without looking into its merits (para 85). Uniformity achieved by virtue of a Commission decision, such as Decision 2000/520, ‘can continue only while that finding [of adequacy] is not called in question’ (para 89).
Here, not only has the Commission decision been criticised by others, but the Commission has also expressed its concerns and has entered into negotiation with a view to remedying the problem.
In reaching these conclusions, Bot – referring to earlier case law – emphasised that the orientation of the Directive is towards ensuring privacy. Further, the Directive must be understood in the light of the Charter and not only that, but Member States must ensure that they do not rely on interpretations of the Directive which would be inconsistent with the Charter Rights (paras 99-100, relying on Case C-131/12 Google Spain and Cases C-411 and 493/10 NS). Here, the existence of an irrebuttable presumption was inconsistent with the duty of Member States to interpret EU law in a manner consistent with the Charter ( para 104).
Validity of Decision 2000/520
Bot then noted it is within the scope of the court’s powers to question on its own motion the validity of an instrument which it had been asked to interpret (going back as far as Case 62/76 Strehl). The review would consider only those aspects of the safe harbour scheme that had been discussed– specifically the PRISM programme and the generalised surveillance of citizens by the NSA.
While the normal position is that a decision is assessed as at the time at which the decision was taken, the ECJ has recognised that sometimes circumstances might subsequently come to light which changes that position. Bot suggested that this was one such case and that the review should be carried out by reference to the current legal and factual context.
The first issue is the determination of ‘adequate’. Bot argued that the purpose of the limitation on transfers was to ensure continuity of protection under the Data Protection Directive, which is described as a high level of protection. So while the means to ensure that level of protection might differ from the system in the EU, the level must be the same. Consequently, ‘the only criterion that must guide the interpretation of that word is the objective of attaining a high level of protection of fundamental rights…’ (para 142).
The Advocate General took as read two points: that the NSA would engage in surveillance; and EU citizens had no mechanism for complaint in the USA. So,
‘the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union …without those citizens benefiting from effective judicial protection’ (para 158).
Specifically, the law enforcement derogations are too broadly worded and allow the reliance on those derogations beyond what is strictly necessary. Such widespread access constitutes an interference with Art 8 EUCFR, a fact exacerbated by the secrecy surrounding these activities. While interferences can in principle be justified, here the Advocate General suggested that it was
‘extremely doubtful that the limitations at issue in the present case … [respect] the essence of Articles 7 and 8 of the Charter’ (para 177).
The exceptions are not specifically precisely defined and nor are they proportionate. The Advocate General referred back to Digital Rights Ireland to highlight that the legislature’s discretion in this context is limited because of the significance of the right to data protection. Limits to the right must be limited to that which is strictly necessary. The Advocate General highlighted the mass and indiscriminate nature of the surveillance carried out, which is ‘inherently disproportionate and constitutes an unwarranted interference’ (para 200).
It follows that third countries cannot be regarded as ensuring an adequate level of protection where such mass surveillance is permitted. Further, the safe harbour scheme – which relies on the FTC and private dispute resolution mechanisms -does not provide sufficient guarantees in terms of preventing abuse. It further allows the discrimination in terms of access between the protection of US citizens and EU citizens. In addition then to the interference with Articles 7 and 8 EUCFR, there was no right to an effective remedy in breach of Article 47 EUCFR.
The Advocate General concluded that:
- a national regulatory authority is not precluded from investigating a complaint where there is a Commission decision such as Decision 2000/520; and
- Decision 2000/520/EC is invalid.
This is the latest in a line of opinions and judgments which have emphasised the need to protect privacy and ensure data protection and which have run contrary to the industry lobby approach of ‘we make money from it therefore it is legal’. If the Court of Justice follows this line of reasoning this case will have very far reaching consequences, not just for Facebook but for all US data companies relying on the safe harbour scheme or similar. Of course the court is not bound by the opinion of the Advocate General but it should be noted that in data protection cases, where the court has departed (e.g. in Google Spain) the court has been more concerned about data protection than the Advocate General. Certainly, Digital Rights Ireland indicates the court is no fan of mass surveillance.
As regards the declaration of invalidity of Decision 2000/520, it should be noted that the decision is very much tied up with concerns about the activities of the NSA and the discriminatory treatment of EU citizens. That link between mass surveillance and inherent disproportionality does not automatically translate to other forms of data usage. It remains to be seen whether the “umbrella agreement” on data protection (see here) which has just been agreed between the EU and US (but which is still subject to European Parliament approval) will resolve these issues. One key point is the ending of the discrimination between US and EU citizens in terms of the rights to complain (via the adoption of the US Judicial Redress Bill).
Aside from this, there are some points which will affect any future decision as to adequacy:
- The level of protection can no longer be viewed as ‘adequate’ in the English sense, but as a continuation of the high level of protection seen by the Directive; this may well be difficult given current practice in the US regarding tracking and using such data for purposes to which subjects have not given consent;
- It is questionable what level of enforcement will be required – is self-certification together with the possibility of legal action sufficient, or is the Advocate General really suggesting there is a need for an independent regulator (see paras 2-7-208) – while the issue was not discussed, the FTC has started taking action against companies who claimed to self-certify but did not comply with the terms of the safe harbour agreement (see here, here and here).
- The Commission may be obliged to review any such decision in the light in changing circumstances, and should not leave systems which are clearly inadequate in place.
In the absence of a safe harbour agreement, companies seeking to transfer data to the US will have to use other mechanisms such as ‘Binding Corporate Rules’ or ‘Standard Contractual Terms’. These are individual approved by national regulators.
The first part of the Opinion dealt with the position of national regulatory authorities, opening up the possibility for national regulators to challenge what they see as too low levels. Will this force an upwards standard of protection with regard third countries? Quite apart from this open question, we should note that the Advocate General took the opportunity to make some general points about the need to respect fundamental rights and not rely on interpretations of the law that are inconsistent with those rights.
While they were addressed to the making of the decision, they reiterate that the focus of the directive is the protection of privacy and the respect for data protection; the free movement of data seems to come a poor second whatever the data industry and the legal basis for the directive might have to say. Such an approach has relevance to the interpretation of the directive more generally. This reliance on fundamental rights arguments may also have significance as the EU institutions seek to finalise the long-awaited Data Protection Regulation.
This post originally appeared on the Information Law and Policy Centre blog and is reproduced with permission and thanks