- 2507 views
Keywords: protection of personal data – Directive 95/46/EC – Safe Harbour Decision – Charter of Fundamental Rights of the European Union – national supervisory authority.
The Data Protection Directive (Directive 95/46/EC)[1] provides that the transfer of personal data to a third country may take place only if that third country ensures an adequate level of protection of the data. The Directive 95/46 provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’). Finally, the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. In Decision 2000/520 (the ‘Safe Harbour Decision’),[2] the Commission found that the United States (US) ensures an adequate level of protection.
Mr Schrems, an Austrian national residing in Austria has been a user of Facebook. As is the case with other subscribers residing in the European Union (UE), some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems made a complaint to the Irish supervisory authority, the Data Protection Commissioner which he asked to prohibit Facebook Ireland from transferring his personal data to the United States. He contended that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services, the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.
However, the Commissioner took the view that there was no evidence that Mr Schrems’ personal data had been accessed by the United States intelligence services and consequently the request was rejected as unfounded. Mr Schrems brought an action before the Irish High Court challenging the decision of the Commissioner.
The High Court decided to refer the question to the Court of Justice whether the Commission Decision 2000/520 has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.
In its judgment,[3] the Grand Chamber of the Court of Justice held that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities. The Court emphasized that even if the Commission has adopted a decision pursuant to Art. 25, para. 6 of Directive 95/46, the national supervisory authorities, when hearing a claim lodged by a person concerning the protection of his rights and freedoms with regard to the processing of personal data relating to him, must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the Directive.
However, it is ultimately for the Court of Justice to decide whether or not a Commission decision is valid. Since Mr Schrems contended in the main proceedings that US law and practice do not ensure an adequate level of protection under the directive, the Court decided to examine the validity of the Safe Harbour Decision.
The criterion of “adequate protection” as foreseen by Art. 25, para. 6, of Directive 95/46 implements the express obligation laid down in Art. 8, para. 1, of the Charter of Fundamental Rights of the European Union to protect personal data. Given the importance of the fundamental rights at stake, the Commission’s discretion as to the adequacy of the level of protection ensured by a third country is reduced, with the result that review of the requirements stemming from Art. 25 of the Directive 95/46, read in the light of the Charter, should be strict.
A legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life under Art. 7 of the Charter. Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Art. 47 of the Charter. Consequently, the Grand Chamber concluded that Decision 2000/520 fails to comply with the requirements laid down in Art. 25, para. 6, of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid. The judgment confirmed the Advocate General’s opinion that “it could be considered” that the limitations imposed by the Safe Harbour Decision “compromise the essence of the fundamental right to protection of personal data”.[4]
The judgment’s importance is to call upon national supervisory authorities to provide protection to individuals and to investigate complaints about transfers of personal data in full independence. Furthermore, data transfers between the EU and the United States can no longer be carried out solely by invoking adherence to the Safe Harbour Privacy Principles, but they will only be lawful if the data exporter can rely on one of the alternative tools laid down in Art. 26 of Directive 95/46. The European Commission has recently announced that it plans to reach an agreement on a successor to “Safe Harbor” until January 2016 and to prepare a decision, replacing the invalidated limitation of the powers of the national supervisory authorities in all existing adequacy decisions.[5]
--------------------
European Papers, Vol. 1, 2016, No 1, European Forum, Highlight of 16 April 2016, pp. 327-329
ISSN 2499-8249 - doi: 10.15166/2499-8249/29
* PhD candidate, Université Paris 1 Panthéon-Sorbonne and ELTE University of Budapest, berkesa@iname.com.
[1] Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[2] Commission Decision 2000/520/EC pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.
[3] Court of Justice (Grand Chamber), judgment of 6 October 2015, case C-362/14, Maximillian Schrems v. Data Protection Commissioner.
[4] Opinion of Advocate General Bot delivered on 23 September 2015, case C-362/14, Maximillian Schrems v. Data Protection Commissioner, para. 177.
[5] Communication COM(2015) 566 final from the Commission to the European Parliament and the Council.