The long-awaited decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner was finally issued on 6 October 2015. Controversial in its findings, this preliminary ruling sheds new light on the ongoing debate regarding the collection, transfer and processing of EU citizens’ data by US companies, and the processing of that data by US intelligence agencies within the framework of the PRISM program.
Mr. Schrems, an Austrian citizen, has been a Facebook user since 2008. In the case of all users residing in the EU, some or all of the data with which they provide Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed.
Mr. Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner) on the grounds that, in light of the revelations made by Edward Snowden in 2013 concerning the activities of the United States intelligence services (in particular, the NSA), the law and practice in force in the United States did not offer sufficient protection against surveillance by the public authorities of data transferred to that country. The Irish supervisory authority rejected the complaint on the basis of the decision of 26 July 2000, which considered that under the “safe harbour scheme” the United States ensured an adequate level of protection of the personal data transferred (known as the Safe Harbour Decision).
Mr. Schrems then filed an appeal with the High Court of Ireland, which considered that the issue prompting his action was closely related to EU law since, according to that High Court, the Safe Harbour Decision did not comply with the principles set forth in the judgments in C-293/12 and C-594/12, EU:C:2014:238.
Preliminary questions submitted to the CJEU
On 17 July 2014, the High Court of Ireland, before which the case had been brought, submitted the following questions to the Court of Justice for a preliminary ruling:
(1) Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?
(2) Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?
The Advocate General’s Opinion of 23 September 2015
According to the Opinion of the Advocate General (Yves Bot), a company, by merely having a Safe Harbour certification, would not automatically comply with the European data directive on export requirements.
As was to be expected, the CJEU followed the arguments put forward by the Advocate General.
The CJEU ruled that the Safe Harbour Decision was invalid, and that the Irish supervisory authority should have examined Mr. Schrems’ complaint comprehensively and with all due diligence in order to determine whether the transfer of data by Facebook’s European subsidiary to Facebook’s US servers was in conformity with data protection principles and with the protection of EU citizens’ fundamental rights, considering that there was evidence to suggest that the practices carried out in the US did not grant an appropriate level of protection to Mr. Schrems’ personal data.
This judgment shatters the Safe Harbour system that was in place and is being considered by scholars and the media as a shocking move in the protection of EU citizens’ data.
On 1 October 2015, Mr. Schrems himself was unable to foresee the result and impact of his quest.
The aftermath. Potential consequences.
This decision, just like last year’s decision in C-131/12 Google Spain v AEPD and Mario Costeja González (for a comment in this blog, here), has caused a global tsunami in the data protection and IT sectors.
It is now for the EU Member States, in particular to their Data Protection Agencies, to decide on Safe Harbour within their respective jurisdictions, and even forbid it within their borders.
Considering that the High Court of Ireland was the court which had brought this question to the CJEU’s attention, it will likely be the first judicial body to decide whether US companies should: (a) compile and process all EU citizens’ data within the EU; or (b) undertake to grant real protection to EU citizens’ data, avoiding any disturbance or interference from US intelligence agencies.
It must nevertheless be highlighted that the conclusions drawn by the CJEU on Safe Harbour would also apply to companies operating under a BCR (Binding Corporate Rules) or Model Contracts scheme.
On another note, Article 26 of Directive 95/46 lays down the exceptions on which US companies may wish to rely (namely, consent of data subjects, the need to transfer the data in order to perform a contract with the data subjects, etc.).