Today’s opinion of the Advocate General at the European Court of Justice on US transfers under European Data Protection Laws challenges the legitimacy of such transfers and threatens international trade.
OPINION: SAFE HARBOR INVALID
Advocate General (“AG”) Bot has today delivered his opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.
This includes recommendations to the European Court of Justice (the 'Court') to the effect that:
- national data protection authorities should be free to investigate and suspend data transfers regardless of any Commission assessment of the 'adequacy' of protection in the destination country; and
- perhaps more strikingly, the Commission decision establishing the 'safe harbor' regime should be declared invalid because of the US government access to personal data revealed by the Snowden affair.
Click here for a detailed summary of the case.
The view of the AG raises concerns, with respect to its practical implications and from a legal perspective, in particular regarding the separation of power between executive, legislature and courts. The AG places emphasis on the independence of data protection authorities and treats them as ‘judicial’ bodies enabling them to suspend decisions of the legislature (Commission); we suggest that DPAs are executive bodies and that for them to suspend legislative decisions would offend against basic European constitutional principles.
It is important to note that AG Bot's opinion is not binding on the Court, but the Court can conclude based on its own discretion. Whereas the Court statistically agrees with the AG in most cases, history shows that this is not necessarily the case in highly political topics like the case at hand. Nevertheless, US companies and European companies doing business in the US should not simply wait for the Court’s judgment (which can be expected in 3-6 months), but should start thinking about alternative processes if the Court indeed follows the AG. If the Court agrees to this radical view, significant consequences could follow for businesses that use and rely upon transatlantic data transfers (i.e. most international businesses). At minimum, it would mean the end of 'safe harbor' as we currently know it. Significant restructuring of the methods by which this occurs may be necessary.
In addition significant disruption to businesses involved in transatlantic data transfers is likely until judgment is given. Customers will be reluctant to rely on the safe harbor provisions and may turn to alternative methods of legitimising such transfers (such as standard contractual clauses) or seek to avoid transfers to the US. The impact of the decision on other means used for US transfers (such as standard contractual clauses) is also unclear as data will be subject to the same US government exposure under such means.
It may be possible to rectify the problems identified by AG Bot with a raft of revisions to the regime that will operate in conjunction with:
- a forthcoming EU-US Umbrella Agreement designed to provide protections for data exchanged between the unions for the purposes of law enforcement co-operation; and
- the incoming US Judicial Redress Bill, which is currently before Congress and proposes to grant EU citizens access to redress before US courts in the event of unlawful processing.Any such amendment would remain a long-term project. It remains to be seen what, if any, intermediate remedial action the Commission would take if the Court confirms the opinion of the AG. However, even if one dislikes Safe Harbor, it is hoped that the Court does not follow the AG.
Maximillian Schrems is an Austrian citizen and Facebook user. As with all EU-resident Facebook members, data he provides to Facebook is transferred from their Irish subsidiary to US servers. Concerned by the Snowden revelations, Schrems complained to the Irish data protection authority (the Data Protection Commissioner) that US law and practice offers insufficient protection for such transferred data against surveillance by their government.
The Irish authority rejected this complaint. They justified this with reference to a Commission decision (2000/520/EC of 26 July 2000 – the 'Safe Harbor Decision') that confirmed that where US companies participate in the 'safe harbor' scheme, data is adequately protected.
Schrems judicially reviewed this decision. The High Court of Ireland requested a preliminary ruling from the European Court of Justice (“Court”) on the question of whether or not the Irish authority was absolutely bound to the position contained in the Safe Harbor Decision, notwithstanding the need to give effect to rights under the EU's Charter of Fundamental Rights 2000 (the 'EU Charter').
The Irish High Court in particular seeks clarification of whether the Safe Harbor Decision prevents a national data protection authority from:
- investigating a complaint that the transfer of data to a relevant US entity is adequately protected; and
- where appropriate, suspending the contested transfer of data.
Key Elements of AG Bot's Opinion
1. Commission decisions do not affect powers of national supervisory authorities
Advocate General (“AG”) Bot considers that the existence of a Commission decision identifying an 'adequate level of protection' for transferred personal data in a third country cannot eliminate or reduce powers of a national supervisory authority. They may investigate and suspend transfers regardless of the Commission's assessment and any ultimate decision.
Although he appreciates that national supervisory authorities are in principle legally bound by Commission decisions, he states this should not inhibit the total independence to which such bodies are entitled under the directive. De facto, he sees the Commission decision just as a guideline which does not bind the authorities in the individual case.
The AG therefore notes that the Safe Harbor Decision's binding effect cannot require complaints such as that of Mr Schrems to be rejected summarily without any examination of their merits. His justification includes reference to the fact that:
- the competence to make a finding of 'adequate protection' is one shared between Member States and the Commission; and
- where systemic deficiencies are found in a third country, Member States must be able to take steps necessary to safeguard citizen's rights protected by the EU Charter. These rights include the right to respect for private and family life and a right to the protection of personal data.
2. The Safe Harbor Decision is invalid
Although not specifically asked by the Irish Court, AG Bot nevertheless recommends that the Court finds the Safe Harbor Decision to be invalid.
He notes findings of the Irish High Court and the Commission which show that US law and practice facilitates the large-scale collection of EU citizens' transferred personal data, without providing effective judicial protection. In his opinion, these facts illustrate the inadequate guarantees offered by the Safe Harbor Decision which, in turn, mean it has not been implemented in line with the Data Protection Directive or EU Charter.
He added that:
- the mass, indiscriminate and broadly unmonitored access to personal data enjoyed by US intelligence services during surveillance activities constitutes a disproportionate interference with EU citizens' right to respect for their private life and of protection of personal data under the EU Charter; and
- the inability of EU citizens to complain about surveillance and interception in US courts constitutes a disproportionate interference with their right to an effective remedy under the EU Charter.
The AG stated that although Commission negotiations with the US to address the safe harbor regime's shortcomings are ongoing, the application of the Safe Harbor Decision ought to have been suspended already. He noted that the fact that such discussions were taking place illustrated an acknowledgment by the Commission that the scheme is no longer sufficient and that the decision requires replacement.
EVALUATION OF AG BOT'S OPINION
We believe that the opinion should not be followed by the Court. One may argue against Safe Harbor. However, besides not reflecting reality, both key statements of the AG can be challenged legally.
First, AG Bot’s opinion that data protection authorities, in our view executive and not judicial bodies, can overrule the Commission is not in line with the basic principle of the balance of powers as part of EU law. The seemingly contradictory opinion of the AG that the “binding” Commission decision only raises a rebuttable presumption of adequacy seems to reverse the normal balance of powers. It turns the legislator into the executive (legislative decisions just being non-binding guidelines) and the executive into courts (data protection authorities can overrule the Commission decision).
Second, it can be contended that AG Bot’s statement on the invalidly of Safe Harbor was an excess of the jurisdiction of the Court and hence the AG. Their role, notwithstanding the Court’s broad purposive approach to statutory construction, is not to provide general legal advice, but to answer the questions raised by the local courts. The Irish High Court however did not ask for an evaluation of Safe Harbor, but only whether the Irish data protection authority has the duty to investigate a complaint about Safe Harbor based transfers in the light of factual developments subsequent to the publication of Decision 2000/520 (the Commission’s approval of Safe Harbor).
Therefore, it remains to be seen whether the Court follows the AG. We believe that it should not.