The long-awaited decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner was finally issued on 6 October 2015. Controversial in its findings, this preliminary ruling sheds new light on the ongoing debate regarding the collection, transfer and processing of EU citizens’ data by US companies, and the processing of that data by US intelligence agencies within the framework of the PRISM program.
Mr. Schrems, an Austrian citizen, has been a Facebook user since 2008. In the case of all users residing in the EU, some or all of the data with which they provide Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed.
Mr. Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner) on the grounds that, in light of the revelations made by Edward Snowden in 2013 concerning the activities of the United States intelligence services (in particular, the NSA), the law and practice in force in the United States did not offer sufficient protection against surveillance by the public authorities of data transferred to that country. The Irish supervisory authority rejected the complaint on the basis of the decision of 26 July 2000, which considered that under the “safe harbour scheme” the United States ensured an adequate level of protection of the personal data transferred (known as the Safe Harbour Decision).
Mr. Schrems then filed an appeal with the High Court of Ireland, which considered that the issue prompting his action was closely related to EU law since, according to that High Court, the Safe Harbour Decision did not comply with the principles set forth in the judgments in C-293/12 and C-594/12, EU:C:2014:238.
Preliminary questions submitted to the CJEU
On 17 July 2014, the High Court of Ireland, before which the case had been brought, submitted the following questions to the Court of Justice for a preliminary ruling:
(1) Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?
(2) Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?
The Advocate General’s Opinion of 23 September 2015
According to the Opinion of the Advocate General (Yves Bot), a company, by merely having a Safe Harbour certification, would not automatically comply with the European data directive on export requirements.
This argument had already been made in Communication COM(2013) 846 and Communication COM(2013) 847.
As was to be expected, the CJEU followed the arguments put forward by the Advocate General.
The CJEU ruled that the Safe Harbour Decision was invalid, and that the Irish supervisory authority should have examined Mr. Schrems’ complaint comprehensively and with all due diligence in order to determine whether the transfer of data by Facebook’s European subsidiary to Facebook’s US servers was in conformity with data protection principles and with the protection of EU citizens’ fundamental rights, considering that there was evidence to suggest that the practices carried out in the US did not grant an appropriate level of protection to Mr. Schrems’ personal data.
This judgment shatters the Safe Harbour system that was in place and is being considered by scholars and the media as a shocking move in the protection of EU citizens’ data.
On 1 October 2015, Mr. Schrems himself was unable to foresee the result and impact of his quest.
The aftermath. Potential consequences.
This decision, just like last year’s decision in C-131/12 Google Spain v AEPD and Mario Costeja González (for a comment in this blog, here), has caused a global tsunami in the data protection and IT sectors.
It is now for the EU Member States, in particular to their Data Protection Agencies, to decide on Safe Harbour within their respective jurisdictions, and even forbid it within their borders.
Considering that the High Court of Ireland was the court which had brought this question to the CJEU’s attention, it will likely be the first judicial body to decide whether US companies should: (a) compile and process all EU citizens’ data within the EU; or (b) undertake to grant real protection to EU citizens’ data, avoiding any disturbance or interference from US intelligence agencies.
It must nevertheless be highlighted that the conclusions drawn by the CJEU on Safe Harbour would also apply to companies operating under a BCR (Binding Corporate Rules) or Model Contracts scheme.
On another note, Article 26 of Directive 95/46 lays down the exceptions on which US companies may wish to rely (namely, consent of data subjects, the need to transfer the data in order to perform a contract with the data subjects, etc.).
In view of the above, this CJEU decision is a call for foreign companies dealing with EU citizens’ data to protect that data under acceptable standards as per EU laws.
Visit our website: http://www.elzaburu.es/en
Visit our website: http://www.elzaburu.es/en
Wonderful article, thank you for sharing the info. It isn’t too often that you simply read articles where the poster understands what they’re blogging about.ReplyDelete
I have to search sites with relevant information on given topic and provide them to teacher our opinion and the article.ReplyDelete
To an extraordinary degree beautiful and enthralling post. I was chasing down this sort of data and recognized inspecting this one. Continue posting. Grateful for sharing.ReplyDelete
Hello, I'm happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look keonhacaiReplyDelete
Unbelievable!! The problem I was thinking about was solved.카지노사이트You are really awesome.ReplyDelete
Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. 블랙잭사이트ReplyDelete
Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post.ReplyDelete
This is by far the best post I've seen recently. This article, which has been devoted to your efforts, has helped me to complete my task.ReplyDelete
Appreciating the persistence you put into your blog and detailed information you provide.
I really love the theme/design of your website.
Your website is really cool and this is a great inspiring article.ReplyDelete
It is very lucky to me to visit your website. We hope you continue to publish great posts in the future.
This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free.ReplyDelete
Buying a business does not have to be a complicated endeavor when the proper process and methodology is followed. In this article, we outline eleven specific steps that should be adhered to when buying a business and bank financing is planned to be utilized. 메이저토토사이트추천ReplyDelete
It is in reality a nice and useful piece of info. I am glad that you simply shared this useful info with us.ReplyDelete
I am thankful for the article post. Looking forward to visit more. 카지노사이트ReplyDelete
So good indeed! Glad to have found your page!! This is such great work!! Interesting to read. 바둑이사이트ReplyDelete
Really great article. I'm glad to read the article. It is very informative for us, thanks for posting. 카지노사이트ReplyDelete
안전보장+다양한플레이 먹튀검증 안전노리터 goReplyDelete