DATA TRANSFERS Maximillian Schrems v. Data Protection Commissioner Court of Justice of the European Union, C-362/14, 6 October 2015 In a landmark judgment the Court of Justice of the European Union (‘CJEU’) followed the Attorney General’s opinion in ruling that the EU-US Safe Harbor cross-border data transfer mechanism that had served trans-Atlantic trade for the past 15 years is invalid. The facts […] contrary to the principle of States and supervisory authorities Mr. Schrems is an Austrian privacy proportionality.” The High Court cannot simply adopt measures campaigner. Following Edward considered that the Commission’s contrary to Commission decisions. Snowden’s revelations in 2013 adequacy decision on Safe Harbor Rather, to ensure legal certainty, it concerning the extent of access by (Decision 2000/520) did not satisfy is for the CJEU “alone” to decide US intelligence and law the right to respect for private life, that measures of the European enforcement agencies to personal as guaranteed by Article 7 of the institutions are invalid. The CJEU data of European citizens held by Charter of Fundamental Rights of was clear that neither the Irish US companies, Mr. Schrems the European Union, and noted DPC, nor any other EU DPA, complained to the Irish Data that Mr. Schrems’ case, in effect, could simply declare the Safe Protection Commissioner (‘DPC’) challenged the legality of the Safe Harbor to be invalid. However, challenging Facebook’s use of Safe Harbor framework itself. DPAs are required to consider Harbor to transfer personal data to Accordingly, the Irish High Court complaints from individuals the US. Mr. Schrems claimed that decided to stay the proceedings concerning the protection of their the Safe Harbor does not provide and seek a preliminary ruling from rights and freedoms where data an adequate level of protection for the CJEU as to whether the Irish have been transferred abroad for EU personal data in the US. He DPC was bound by the processing. asked that the Irish DPC examine Commission’s adequacy decision Next, the CJEU proceeded to the validity of the transfer on Safe Harbor (Decision assess the validity of Decision mechanism and, if necessary, that 2000/520), precluding any 2000/520. Here, the court focused it suspend Facebook’s further investigation by the DPC into the on the requirement that a third transfers of personal data to the protection afforded to data country must ensure an “adequate” US. The DPC refused to do so, on transferred in reliance on Safe level of data protection. In the basis that the transfers relied Harbor. Alternatively, the CJEU examining the concept of on an adequacy decision of the was asked to consider whether the adequacy, the CJEU was clear that European Commission. The DPC DPC could conduct its own this does not require a third considered it had no authority to investigation into the continued country to ensure a level of review or challenge an adequacy adequacy of Safe Harbor, in light protection for personal data that is decision of the Commission. of the facts revealed since the “identical” to that guaranteed in Further, the DPC noted that there Commission reached its decision. Europe. Instead, the level of was no evidence that Mr. Schrems’ protection for fundamental rights personal data had, in fact, been The CJEU’s judgment and freedoms must be “essentially accessed by US intelligence and law In a judgment that concurred with equivalent” to that guaranteed in enforcement agencies. the Opinion of Advocate General Europe. This will be a factual issue Following the DPC’s rejection of Bot, the CJEU decided that in each case, requiring examination his complaint, Mr. Schrems national data protection of a country’s domestic law and its appealed to the Irish High Court. authorities (‘DPAs’) are not bound international commitments. The High Court found that while by Commission adequacy Further, as the levels of protection the US National Security Agency’s decisions, but are entitled to may change over time, the CJEU electronic surveillance and conduct their own investigation considered that the Commission interception of EU personal data into whether transfers of personal would need to “check periodically” “serve necessary and indispensable data are subject to an adequate whether an adequacy finding objectives in the public interest,” level of protection. In addition, the remained “factually and legally Edward Snowden’s revelations CJEU went further than the justified.” demonstrated a “significant over- specific questions referred to it, In assessing the continued reach” by the federal agencies. The and considered whether Decision validity of Decision 2000/520, the Irish High Court noted that EU 2000/520, on which the Safe CJEU noted, in particular, the fact citizens have no right to be heard Harbor rests, is valid. The CJEU that under the Safe Harbor, on these issues in the US, and that decided that it is not. “‘national security, public interest once transferred to the US, the In reaching its decision, the CJEU or law enforcement requirements’ data of EU citizens could be emphasised that until such time as have primacy over the safe harbor subject to “indiscriminate a Commission decision is declared principles,” and (in effect) the surveillance and interception invalid by the CJEU, it must be fundamental rights of EU citizens carried out […] on a large scale presumed to be lawful. Member in relation to their personal data. 03 E-Commerce Law Reports - volume 15 issue 05
Recommend
More recommend
