Just a couple of weeks after Advocate General Bot issued his opinion in case C-362/14 the CJEU adopted its ruling declaring the Safe Harbour Commission Decision invalid. The potential effects of the judgment are far-reaching and too important for US-based companies operating in the EU which transfer EU citizens’ personal data to the US. It was anticipated that the Court would uphold the AG’s opinion and that was the case, as today’s judgment confirms.
The facts of the case can be found in “Facebook and data protection in the EU” and the analysis of the AG’s opinion in “Protection of personal information in data transfers EU-US” (available on this site).
Question referred to the CJEU
Essentially, the referring court (Irish High Court) asked whether and to what extent art 25(6) of the Data Protection Directive 95/46/EC, read in light of arts 7, 8 and 47 of the Charter of Fundamental Rights of the EU (Charter), must be interpreted as meaning that a decision adopted pursuant to that provision -Decision 2000/520-, by which the EU Commission finds that the US ensures an adequate level of protection, prevents a supervisory authority of a Member State (MS) from being able to examine the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a MS to that third country when that person contends that the law and practices in force in the third country (the US) do not ensure an adequate level of protection.
The Court recalled that the provisions of the Data Protection Directive govern the processing of personal data capable to infringe fundamental freedoms, in particular, the right to respect for private life and must be interpreted in light of the fundamental rights guaranteed by the Charter.
The guarantee of the independence of national supervisory authorities (art 28 of the Directive) is intended to ensure the effectiveness and reliability of the monitoring of compliance with the provisions concerning protection of individuals and the processing of their personal data and must be interpreted in the light of that. The establishment of national independent supervisory authorities is an essential component of the protection of individuals with regard to the processing of personal data.
The national supervisory authorities must ensure a fair balance between observance of the fundamental right to privacy and the interests requiring free movement of personal data. But their powers concern the processing of data carried out on their own territory, they do not have powers in respect of processing of such data in a third country. However, having personal data transferred from a MS to a third country constitutes processing of personal data within the meaning of art 2(b) of the Directive carried out in a MS.
Whilst acknowledging that transfers of personal data from MS to third countries are necessary for the expansion of international trade, the Directive lays down as a principle (art 25(1)), that such transfers may take place only if the third country ensures an adequate level of protection (otherwise they are prohibited).
The Commission may adopt, on the basis of art 25(6) of the Directive, a decision finding that a third country ensures an adequate level of protection. Such decision is addressed to the MS that must comply with it (see art 288 TFEU ie. binding on all MS to which it is addressed and also on all their organs) in so far as it has the effect of authorising transfers of personal data from the MS to the third country covered by it. This is the reason why the Irish Data Protection Commissioner dismissed the claim. Please note that decisions, as secondary pieces of EU law, can only be invalidated by the CJEU.
A Commission decision such as Decision 2000/520 cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim, within the meaning of art 28(4) of the Directive, concerning the protection of their rights and freedoms in regard to the processing of that data. A decision of that nature cannot eliminate or reduce the powers expressly accorded to the national supervisory authorities by art 8(3) of the Charter and art 28 of the Directive.
Thus, even if the Commission adopted a decision the national supervisory authorities, when hearing a claim lodged concerning the protection of rights and freedoms in regard to the processing of personal data relating to a claimant, must be able to examine, with complete independence, whether the transfer of that data complies with the Directive’s requirements. If that were not so EU citizens would see denied the right, guaranteed by art 8(1) and (3) of the Charter, to lodge with the national supervisory authorities a claim for the purpose of protecting their fundamental rights.
The Court recalls that the EU is based on the rule of law and all its institutions’ acts are subject to review of their compatibility with the Treaties, general principles of law and fundamental rights. Commission decisions cannot escape such review.
Faced with a claim such as the one in question in the national proceedings the national supervisory authority must examine it with all due diligence. In a situation where the supervisory authority comes to the conclusion that the arguments put forward in support of a claim are unfounded and therefore rejects it, the person who lodged the claim must have access to judicial remedies to challenge such decision before the national courts. Those courts must stay proceedings and make a reference to the CJEU for a preliminary ruling on validity (art 267 TFEU) where they consider that grounds for invalidity put forward by the parties or raised by them of their own motion are well founded.
Mr Schrems (claimant in the national proceedings) expressed doubts, which the referring court seems to share, concerning the validity of Decision 2000/520. The Court then goes on to examine whether the decision complies with the Directive’s requirements, read in light of the Charter.
The Directive does not contain a definition of the concept of ‘adequate level of protection’. The word ‘adequate’, though, means that a level of protection identical to that guaranteed in the EU cannot be required. However, ‘adequate level of protection’ must be understood as requiring the third country to ensure, by domestic law or international commitments, a level of protection essentially equivalent to that guaranteed within the EU by virtue of the Directive, read in light of the Charter. If there were no such requirement, the high level of protection guaranteed by the Directive could easily be circumvented by transfers of personal data from the EU to third countries for the purpose of being processed in those countries.
Even when the Commission finds that a third country ensures that adequacy level and issues a decision on that it must review it periodically and take into account new circumstances, when evidence gives rise to a doubt as regards the non compliance with that adequacy level.
The Commission found in art 1(1) of Decision 2000/520 that the principles set out in Annex I, implemented in accordance with the guidance provided by the FAQs set out in Annex II, ensure an adequate level of protection for personal data transferred from the EU to US-based organisations. Those principles and FAQs were issued by the US Department of Commerce.
The Safe Harbour principles are intended for use solely by US organisations receiving personal data from the EU for the purpose of qualifying for the safe harbour and the presumption of ‘adequacy’ it creates (the whole scheme is based on self-certification). Those principles are therefore applicable solely to self-certified US organisations receiving data from the EU and US public authorities are not required to comply with them.
In addition, the applicability of those principles may be limited, in particular, ‘to the extent necessary to meet national security, public interest, or law enforcement requirements’ and ‘by statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’. In other words, if a self-certified company such as Facebook allows governmental bodies to access the data it does so based on the derogation and in compliance with US law.
Protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary. Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the EU to the US without any differentiation, limitation or exception being made in light of the objective pursued and without an objective criterion laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.
Legislation permitting public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life guaranteed by art 7 of the Charter. Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection (art 47 of the Charter).
The Commission did not state, in Decision 2000/520, that the US in fact ‘ensures’ an adequate level of protection through its domestic law or its international commitments. Consequently, there was no need to examine the content of the Safe Harbour principles and the Court concluded that art 1 of Decision 2000/520 fails to comply with the requirements of art 25(6) of Directive, read in light of the Charter, and is accordingly invalid. Further, the Court finds that art 3 of the Decision denied national supervisory authorities the powers to suspend data transfers when they suspect those transfers do not comply with the Directive. In doing so the Commission exceeded its delegated powers, another ground to invalidate the Decision.
The Court ruled that: Art 25(6) of Directive 95/46/EC as amended, read in light of arts 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a MS, within the meaning of art 28 of that Directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a MS to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. It further declared Decision 2000/520 invalid.
It is now for the High Court to apply the judgment in Ireland. In all likelihood further data transfers from Facebook Ireland to Facebook Inc. will be suspended until the Commission replaces (if at all) the invalidated Decision.
This judgment has far-reaching implications as it can be extrapolated to other companies in a similar situation.
The most advisable medium-term solution for US-based companies operating in the EU would be to set up servers in the EU and process all necessary data in accordance with the Directive’s requirements. They will be closely supervised by national competent authorities that have now, following the removal of the Decision from the EU legal order, been freed to assess claims and protect fundamental rights of EU citizens.
NB. the list of companies affected by this ruling can be found here.