Your Facebook Data Just Got a Lot More Secure – Case Analysis C-362/14 Maximillian Schrems v Data Protection Commissioner

Dissecting the Safe Harbor Decision of the ECJ

[Note: For a broader overview on the topic look at our recently published Saar Blueprint by Oskar Josef Gstrein – Regulation of Technology in the European Union and beyond (10/15) which also covers the Schrems Case]

Kanad Bagchi[1]

Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” Words of Hollywood legend Marlon Brando, which to the mind of the author, most aptly epitomizes the Opinion of the Court in its Schrems decision (“Opinion”), delivered on 6th October 2015. Long-standing concessions regarding data processing and transfer between the European Union (“EU”) and United States (“US”) were summarily dismissed in the face of competing claims to the right to privacy and data protection. The Court declared that Commission Decision 2000/520 (“Decision”) recognizing the equivalence of US data protection mechanisms, fails to ensure ‘an adequate level of protection’ for EU citizens, as mandated under Directive 95/46/EC (“Directive”), EU’s principle data protection law. Further, the Court reserved the powers of a Member State National Supervisory Authority to admit and examine claims against processing and transferring of data to third countries, irrespective of the European Commission (“Commission”) finding that a particular third country ensures an adequate level of protection. The Opinion is likely to derange data intensive businesses in the EU and US, compelling authorities on both sides of the Atlantic to rework existing transfer arrangement. In other words, the Opinion is arguably the strongest response to Edward Snowden’s revelations with respect to extensive surveillance and monitoring activities undertaken by US authorities in the recent past, and has already received much fanfare amongst privacy activists and the likes.

In the present post, the author dissects different aspects of the Opinion, in an attempt to produce more clarity and coherence on EU data protection rules and the Commission Decision on ‘Safe Harbor’, so as to underline the obligation of EU and member state authorities arising out of the same. The post also speculates on the immediate implications of the decision on US and EU tech firms and considers the momentous task ahead of the respective authorities.

Maximillian Schrems’s tryst with Privacy

In the backdrop of Edward Snowden’s revelations concerning mass scale Internet and phone surveillance conducted by the US National Security Agency, Mr. Schrems, an Austrian national, approached the Data Protection Commissioner in Ireland, insisting that Facebook Ireland be prohibited from transferring his personal data to the US. Schrems’s claim was rejected by the Commissioner on the grounds, inter alia, that the former was constrained from advancing a plea of ‘inadequacy of protection’ as the EU Commission through its Decision had concluded otherwise. On appeal however, the High Court reasoned that neither the Directive nor the Decision, when read in the light of both the Irish Constitution and the Charter of Fundamental Rights of the European Union (“Charter”), prevents national supervisory authorities from examining, in limine, a claim contesting the adequacy of protection afforded to his personal data in the third country. Finding that the above enquiry involved questions relating to the interpretation of EU law, the High Court thought fit to refer the questions to the ECJ for a preliminary ruling.

EU Safe Harbor rules and its context

Directive 95/46/EC has a twin set of objectives underpinning data protection within the EU and beyond. First, it provides a framework for the processing of personal data by member states of the EU and lays down certain safeguards pertaining to the same. Second, in the interest of international trade and business, it acknowledges and prescribes for a mechanism to ensure cross border free flow of personal data between EU member states and third countries. For the purposes of its second objective, and with which the author is most acutely concerned, the Directive prescribes for certain core principles (“safe harbor principles”) that ought to govern MS discretion in the transfer of personal data beyond EU borders. Article 25 of the Directive, inter alia, provides that a member state in approving such transfer of personal data is to satisfy herself that “…the third country in question ensures an adequate level of protection…” after considering all “…the circumstances surrounding a data transfer…” In this regard, if the Commission gathers that a third country falls short of providing for an ‘adequate level of protection’, member states ought to implement measures “…necessary to prevent any transfer of data of the same type to the third country in question…” Likewise, if the Commission finds that a third country ensures an ‘adequate level of protection’, member states are to similarly take measures in pursuance of the same.

To ensure the proper implementation of the above-mentioned principles, the Directive calls for the establishment of independent National Supervisory Authorities (“supervisory authorities”) within each member state, endowed with an extensive set of powers. For instance, MS are to consult their respective supervisory authorities while formulating internal measures to give effect to the Directive. Further, such authorities have the power to investigate and access data pertaining to processing and transfer, deliver opinions with respect to processing operations, and also the power, if not the obligation, to agitate through legal means before national courts, the incorrect or improper implementation of the Directive by member state authorities. EU citizens may approach supervisory authorities and lodge claims “…concerning the protection of his rights and freedoms in regard to the processing of personal data…”, and have the right to be informed of the outcome of their claim. In essence, a whole gamut of responsibilities relating to supervision and monitoring the implementation of the Directive has been conferred on national supervisory authorities.

In pursuance of its powers under the Directive, the Commission adopted Decision 2000/520 certifying that processes and mechanisms established by the US authorities ‘ensures’ an adequate level of protection of personal data transferred from the EU. In this regard, the Commission relied on a system of self-certification and public disclosure by organizations within the US, of their intent and willingness to abide by the safe harbor principles. The framework for the above mentioned process was implemented in accordance with the guidance provided by the US Department of Commerce through frequently asked questions. By way of derogation however, the applicability of the safe harbor principles to US organizations could be circumscribed so far as it is “…necessary to meet national security, public interest, or law enforcement requirements…”. It is important to note that the Decision was adopted in the year 2000, representing a state of affair dating back fifteen years and has remained unaffected since.

Ruling of the Court

The Court decided two sets of questions, namely, first, whether the powers of National Supervisory Authorities were constrained as a result of the Commission Decision on adequacy levels in the US and second, whether the Commission Decision was valid under extant rules of EU law.

At the outset, the Court observed that the Directive and its provisions ought to be interpreted in the light of Charter, especially Article 7 (privacy) and 8 (data protection), in as much as processing and transferring of data is liable to intrude into the Charter rights. Art. 28 (1) of the Directive therefore required member states to establish independent supervisory authorities tasked with the mandate to monitor the former’s compliance with EU law. Towards that end, the Court noted, supervisory authorities derive their power and competence directly from “…primary law of the European Union…” and operate independently to that of the Commission Decision. In the same breath, the Court determined that a Commission Decision adopted in pursuance of the Directive does not foreclose the power of the supervisory authority from examining claims relating to processing of personal data. If upon such examination, it appears that claims relating to the violation of Art. 7 & 8 of the Charter or the principles stated in the Directive are plausible, the supervisory authority ought be in a position to challenge the same in the courts of the member states, which in turn ought to refer the question to the ECJ through the preliminary reference procedure. Thus, in effect, the Court ruled that a determination by the Commission of the adequacy or inadequacy of a third country regime in protecting the rights of the individual does not prevent supervisory authorities from entertaining claims pleading to the contrary.

Although the High Court did not specifically raise the question of validity of the Commission Decision, the ECJ after perusing through the scheme of the safe harbor regime, concluded that “…until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision…” Hence, it became imperative for the Court to examine the validity of the Commission Decision as against both the requirements of the Directive and the Charter.

While the Directive allows the Commission to conclude that “…a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments…” it admittedly does not define either the content or the standard in determining the adequacy of protection afforded by the third country’s regime. Under such circumstances, the Court reasoned that ‘adequate protection’ ought to mean ‘essentially equivalent’ if not ‘identical’ to the protection afforded to citizens in the EU.

In this regard, the Court found that the system of self-certification could only constitute a reliable measure of adequacy if the same was backed by mechanisms to identify and punish errant US organizations. The Commission Decision however, to the mind of the Court, did not contain “sufficient findings” with respect to any such mechanism employed by the US to ensure an adequate level of protection. Moreover, a turning point for the Court was its finding that the safe harbor principles were to govern, albeit voluntarily, the conduct of US organizations only, without having a consequent binding effect on the US public authorities. Therefore, the Decision admitted of the possibility of the safe harbor principles and its applicability being limited by state authorities in the interest of national security or public interest. Consequently, the Court examined that the Decision was silent with respect to specifying either any limits to such state interference or to the existence of effective legal protection against the same. While EU law, interpreted in the light of the Charter and the Court’s prior rulings, limit state interference to what is “strictly necessary”, the Decision allows US authorities to store all personal data on a “generalized basis”. Such general collection and processing of data, without the possibility of an effective remedy, the Court declared, constitutes an infraction of the rights guaranteed under the Charter, including Articles 7, 8 and 47 (effective judicial protection), thereby affecting the validity of the Commission Decision.

In addition, the Court declared invalid Article 3 of the Decision in so far as it restricted the powers of the national supervisory authorities to entertain claims relating to the adequacy of protection enshrined under third country rules on data protection.

Further Comments

The Schrems decision mirrors Advocate General Bot’s opinion in most parts, barring however, some minor deviations (for a fuller enquiry here). In essence, the ECJ ruled that the present standard of protection afforded by the US does not match up to that of the EU and hence, US companies cannot be trusted with personal data belonging to EU citizens. Whether good wisdom prevailed on the Court, depends on which side of the debate one finds oneself on. Indeed, the Court conveniently assumed certain regulatory and administrative artifacts of the US system, without having provided US officials with the opportunity to be heard on the matter. Moreover, as pointed out, incessant reliance was placed by the Court, on outdated Commission reports suggesting a less rigorous approach towards the preservation of individual liberties in the US. Therefore extreme criticism has been leveled against the Court in condemning an entire system of rules and regulations on the basis of presumptuous evidence. Also the Court’s insistence on a standard of ‘adequacy’ resting on “essentially equivalent” rather than “identical” is neither precise nor helpful, leaving much to judicial oversight and less to bureaucratic discretion. While the Court did not find the process of ‘self-certification’ to be inherently repulsive to the idea of equivalent protection, it nonetheless emphasized that such certification alone was inadequate in the absence of consequent enforcement of the same. It begs the question as to whether the US authorities will now have to commission independent bodies much like the national supervisory authorities in the EU, to constantly monitor the implementation of the safe harbor principles.

Where has the decision left State authorities and Private corporations?

The EU and the US were already undergoing negotiations for a review of the Decision in the aftermath of the Snowden revelations, and it is reasonable to suggest that the Commission will have to seek more far reaching commitments from the US authorities than were previously estimated. Considering the differing standard of protection afforded to privacy rights in the EU and the US, a new agreement on the subject is likely to be long drawn and tiresome. In the meanwhile, personal data transfer for US companies is definitely going to get more cumbersome and costly, as the process of transfer would be largely governed by 28 different national rules on the subject, with each displaying varying degrees of bureaucratic skirmishes. Although there are reports suggesting that certain companies in anticipation of the decision, had already started reviewing their transfer policies, including considering moving to options like model contract clauses and binding corporate rules, the situation is a far cry from ‘business as usual’, especially for small and medium enterprises.

That apart, the Opinion has received a favorable response from privacy activists and human rights groups, especially in the light of the Court’s insistence that mass surveillance and indiscriminate sourcing of personal data constitutes a violation of the Charter rights. Further, as a result of the Opinion, supervisory authorities are likely to exercise a more active role in accessing the cross border transfer of data, which only adds yet another layer of protection to personal data. Privacy advocates are already anticipating that in the long run, European citizens may be able to contend that their data be stored and processed only within the borders of EU, much like the recent Russian agenda. Nonetheless, as things stand today, the clock has been turned back several years and much has been left to chance and uncertainty.

[1] Kanad Bagchi (kanad.bagchi@gmail.com) is an MSc Candidate in Law and Finance at the Faculty of Law, University of Oxford, UK. Formerly, he was a research assistant at Europa-Institut, Universität des Saarlandes, Germany.

Suggested Citation: Bagchi, Kanad, Your Facebook Data Just Got a Lot More Secure: Case Analysis C-362/14 Maximillian Schrems v Data Protection Commissioner, jean-monnet-saar 2015, DOI: 10.17176/20220308-174158-0