We may be witnessing a possible game changer event in the way that Facebook (and other major companies with main headquarters in the US) handles our personal data. Today, Advocate General Bot delivered his opinion in the context of a present reference for preliminary ruling from the High Court of Ireland to the Court of Justice of the EU (C-362/14).
At the core of the proceedings is the so-called Safe Harbour scheme (Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC – ‘Decision 2000/520’) applicable to transfers of personal data between the EU and the US.
The reference invites the Court to clarify the approach that the national supervisory authorities and the EU Commission must take when they face shortcomings in the application of Decision 2000/520.
Paramount to this case is the principle – contained in the Data protection Directive 95/46/EC – that the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited. In addition, it is important to clarify how do certain provisions of the Charter of Fundamental Rights of the EU (‘the Charter’) namely articles 7, 8 and 47, interact with article 25(6) of the Directive and in particular with the Safe Harbour scheme.
A number of revelations have recently brought to light the existence of large-scale information-gathering programmes in the US. Those revelations give rise to serious concerns as to whether the requirements of EU law are observed when personal data is transferred to undertakings established in the US but also about the weaknesses of the Safe Harbour scheme.
The request was submitted in proceedings between Mr Schrems and the Irish Data Protection Commissioner concerning the latter’s refusal to investigate a complaint made by Mr Schrems regarding the fact that Facebook Ireland Ltd keeps its subscribers’ personal data on servers located in the US. In 2013, Mr Schrems lodged a complaint with the Commissioner, claiming, in essence, that the law and practices of the US offer no real protection of the data kept in the US against State surveillance. That was said to follow from the revelations made by Edward Snowden concerning the activities of the US intelligence services, in particular those of the National Security Agency.
The Commissioner observed that any question relating to the adequacy of data protection in the third country to which the data was transferred had to be settled in accordance with Decision 2000/520. As this was the gist of Mr Schrems’ complaint (that personal data was being transferred to a third country which did not, in practice, ensure an adequate level of protection) the Commissioner took the view that the nature and very existence of Decision 2000/520 prevented him from examining the question.
Mr Schrems brought proceedings before the High Court for judicial review of the rejection of his complaint. It is the High Court that now asks guidance from the CJEU on the matter as it seems there could be good elements to find that the Decision does no longer serve its purpose in light of the widely known US surveillance programmes.
The main questions posed by the Irish Court relate to the investigative powers of the national competent authorities but ultimately are (or will be) also about the validity of the Decision itself.
The bottom line of the AG’s opinion is that the very existence of the Decision does not prevent national authorities from conducting investigations as regards potential breaches of EU law in the field of transfer of personal data to the US and that the Decision itself should be invalidated as it no longer provides an adequate level of protection to the one EU citizens enjoy in the EU territory.
The opinion contains plenty of interesting and (legally) reasonable points and as such will be the subject of a follow-up note in the coming days. However, at this point it is important to stress that the outcome of this case could be political in itself – if the Court does not invalidate the Decision – or one where it upholds the fundamental rights of its citizens to a high level of protection as seen in recent judgments such as C‑293/12 Digital Rights Ireland and Others (where the CJEU invalidated the Data Retention Directive based on the non-compliance with the EU principle of proportionality – although the underlying reason was the right to privacy contained in the Charter).