Schlagwort-Archive: Safe Harbour

The EU-US Privacy Shield: An Effective New Framework for Transatlantic Data Flows or A Weak Compromise Doomed to Fail?

An article by Pieter Gryffroy*

I. INTRODUCTION

On 2 February 2016, the European Commission announced[1] that it had reached an agreement with US authorities on a new safe harbour regime, after the old regime had been invalidated by the Court of Justice on 6 October 2015 in its judgment in the Schrems case,[2] already reported on here. The new regime, called the EU-US Privacy Shield, was agreed upon just in time to meet the deadline set by the Article 29 working party (which represents the national data protection authorities) after the Schrems judgment, failing which national data protection authorities within the EU would have taken coordinated enforcement actions to ensure effective protection of the personal data of EU citizens in the US.[3] The article 29 working party will now assess the new deal on transfer of personal data across the Atlantic.[4] Whilst the full text of the new agreement is not yet accessible to the large public, the key elements of the agreement are known and have already attracted a lot of criticism. This contribution will first touch upon the background of the new agreement, explaining why it was necessary and how it functions within the framework of EU data protection law. Secondly, the contribution will assess whether the EU-US Privacy Shield is up to the task of ensuring an effective protection of personal data of EU citizens contained in transatlantic data flows.

 

II. BACKGROUND: THE OLD SAFE HARBOUR AGREEMENT STRUCK DOWN BY THE COURT OF JUSTICE

Before one can assess the impact of the successor to the safe harbour agreement, it is crucial to understand the role of the original agreement in the framework of the EU’s data protection regulation. Equally, a basic understanding of the Schrems case, leading to the agreement’s invalidation by the Court of Justice is indispensable for a good understanding of the context of the new agreement.

Although the European legislator could never have foreseen the extent of the current data flow between the EU and third countries, notably the US, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data[5] already provided for rules on the transfer of personal data of European citizens from the EU member states to third countries in its chapter IV. Whereas the directive is clear and relatively precise on the principles relating to data protection within the EU, the rules on the transfer of personal data to third countries merely provide that member states may only allow the transfer of personal data when the country in question “ensures an adequate level of protection”.[6] In order to allow an EU-wide approach to third country data transfers, the Directive endows the Commission with powers to make EU-wide determinations of the adequacy of the level of protection of a third country, either in the positive or in the negative.[7] In both cases member states are by the letter of the Directive bound to take the measures necessary to comply with the Commission’s decision. Additionally, the Directive also mandates the Commission to enter into negotiations with certain third countries in order to guarantee an effective protection of personal data of EU citizens through a specific agreement with the third country concerned.[8] Upon reaching a satisfying agreement, the Commission can then render a decision, finding that the country in question ensures an adequate level of protection of the personal data of EU citizens.[9]

It is within this exact context that between 1998 and 2000 the EU and the US federal Department of Commerce developed the safe harbour privacy principles for the transfer of personal data between the EU member states and the US, culminating in Commission Decision 2000/520/EC on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.[10] In accordance with the agreement between the EU and the US, the US Department of Commerce issued the safe harbour principles,[11] enabling US organizations to self-certify by either joining a self-regulatory privacy program that adheres to the principles or by developing their own privacy policies, provided that they are in conformity with the principles. In order to benefit from the safe harbour mark of quality, facilitating the provision of services to EU citizens, the organization had to publicly declare that they adhere to the principles, at which point further compliance became mandatory. In principle however, adherence was voluntary and non-adherence did not prevent a US organization from receiving personal data coming from the EU. Such organizations were simply required to give notice to those using theirs services that their privacy policy possibly did not comply with international standards. Nonetheless, the benefit of compliance seemed to outweigh the cost and most major organizations adhered to the principles, albeit in diverging manners. Decision 2000/520/EC created a blanket allowance for the different approaches to privacy in the transatlantic flow of personal data, as long as they declared to adhere to the principles. Following Art. 3 of Decision 2000/520/EC the national data protection authorities of a EU member state could only suspend the flow of personal data in connection with a self-certified organization if either the US authority found a violation of the principles (Art. 3(1)(a)) or if there extraordinary circumstances presented itself, creating a substantial likelihood that the principles were being violated by a certified organization (Art. 3(1)(b)).

The safe harbour agreement came under heavy fire in 2013, when Edward Snowden revealed that US intelligence agencies, notably the NSA through its “PRISM” program accessed personal data stored on US servers to conduct surveillance on people worldwide, gathering personal data en masse and virtually without restriction. This included personal data of European citizens, which had been sent to the US. At that time, the Commission had already started renegotiating the safe harbour agreement. However, it should be pointed out that the safe harbour principles never applied to national agencies such as the NSA in the first place, since they are not covered by Decision 2000/520/EC.[12] Although there is a separate discussion to be had about the protection of personal data of European citizens by private US companies as such, the main problem with the safe harbour agreement was that it allowed for a transatlantic data flow, which was then, so it was revealed, subject to mass surveillance by US authorities, contrary to the EU’s principles of data protection. The principles as such, however, were not scrutinized in the Court’s judgment.[13]

Amongst others, an Austrian law student by the name of Maximilian Schrems argued that the very fact that such operations can take place in the US shows that the US does not provide an adequate level of protection, meeting the EU’s standard of privacy protection, thereby inherently invalidating the safe harbour agreement between the US and the EU. Just like hundreds of millions of people around the world, Schrems was a user of Facebook’s social network, which had self-certified under the safe harbour regime. In Europe, all personal data Facebook collects, passes through the server of its European seat in Ireland, before being sent anywhere else, notably to the US main servers. Although Facebook itself may have complied with the safe harbour principles, Schrems complained before the Irish Data Protection Commissioner that the safe harbour regime as such did not offer adequate protection for his personal data against surveillance by the US.

The Irish national data protection authority first rejected this complaint because it considered itself bound by the Commission’s decision on the adequacy of the level of data protection offered by the US. The Court however,[14] decided that the neither Directive 95/46/EC nor Decision 2000/520/EC of the Commission can, in the light of the Charter of Fundamental Rights of the EU, be interpreted as precluding a national data protection authority “from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.”[15] However, as long as the Commission decision stood, member states could not adopt measures contrary to the decision. Therefore, the Court analysed the decision and found that given the lack of any limit on US state interference, allowing the storage of personal data on a generalized basis without an effective remedy, Decision 2000/520/EC violates the fundamental rights guaranteed under Art. 7, 8 and 47 of the EU charter.[16] Moreover, under Art. 25(6) of Directive 95/46/EC, the Commission must find in its decision, “duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order”.[17] The Court found that Decision 2000/520 EC did not state that the US did in fact ensure an adequate level of protection, nor could it have, given that the aforementioned US practices violated the EU Charter. Consequently, the ECJ concluded that the decision was invalid.[18]

The direct consequence of the Schrems judgment was that the main legal framework governing the data flow between the EU and the US suddenly disappeared, creating significant uncertainty and burdening the national data protection authorities of the member states with the task to assess all remaining options for data transfer on a case-by-case basis and to take action to stop the transatlantic flow of personal data where necessary. There is however nothing that suggests that the actual flow of personal data from the EU to the US has declined following the judgment. The national data protection authorities, through the Article 29 working party, adopted a practical approach under which certain data transfer tools could still be used, at the same time setting a deadline for the negotiation of a new safe harbour agreement by the end of January 2016.[19] The Commission has roughly met that deadline, announcing the EU-US Privacy Shield as the successor to the safe harbour agreement on 2 February 2016. The new agreement is the product of nearly three years of negotiations, which started in 2013 after the Snowden leak and were intensified following the Schrems judgment. While the text of the agreement is being finalized before its planned release to the public at the end of February, it has already attracted a lot of critique. This will be discussed in what follows.

III. THE NEW AGREEMENT

 

Although the full text remains to be disclosed, the Commission has already indicated the main elements of the new agreement, which are structured around three pillars.

The first pillar provides that US companies importing personal data from Europe will have to commit to “robust” obligations concerning the processing of such data. The US Department of Commerce will monitor that companies publish such commitments, making them enforceable under US Law. Any company handling personal data coming from Europe has to commit to comply with decisions by European data protection authorities. In essence, this is no more than a restatement of the previously existing safe harbour regime.

The second pillar aims at limiting the surveillance mechanisms used by certain US authorities such as the NSA, which were revealed after the Snowden leak and were an important factor in invalidating the original safe harbour agreement. The new agreement aims to establish clear safeguards and transparency obligations for organs of the US government accessing personal data. In this regard, the US has assured the EU that the access to personal data by its authorities and agencies “for reasons of law enforcement or national security will be subject to clear limitations, safeguards and [will be accompanied by] oversight mechanisms.”[20] The remaining powers will be used only to the extent they are necessary and proportionate, supposedly ruling out indiscriminate mass surveillance. The arrangement will be reviewed yearly. It seems however to remain up to the US to determine the exact interpretation of these vague terms, and with US law still explicitly allowing mass surveillance,[21] strong concerns are being voiced by the media and privacy advocates. Given that the Court of Justice invalidated Decision 2000/520/EC precisely because it allowed the US to store personal data on a generalized basis,[22] one can expect that if no further clarification of these terms follows, the Court might not accept these vague commitments.

The third pillar of the new agreement aims at ensuring an effective protection of the rights of EU citizens to protection of their personal data, through the enactment of a Judicial Redress Act by the US Congress, providing for several redress possibilities. US companies will have strict deadlines to reply to complaints, the EU’s national data protection authorities will have the possibility of referring complaints directly to the US Department of Commerce and the Federal Trade Commission, and there will be possibilities for alternative dispute resolution, free of charge. The Judicial Redress Act will, however, not cover matters of intelligence and public security. For complaints concerning access by US authorities to personal data, EU citizens will have access to a newly created ombudsman. While these remedies might sound promising, it has been pointed out that European citizens are in large part forced to find judicial redress in the US, which has been met with criticism. Moreover, it is very questionable whether the proposed ombudsman will be an effective remedy to protect European citizens from violations of their right to protection of their personal data committed by US authorities. In its judgment in the Schrems case, the Court of Justice had put special emphasis on the right to have an effective remedy.[23]

Even without knowing the final text of the agreement and the exact extent of the obligations the US has entered into, it is already clear that the new agreement will not satisfy privacy advocates that had called for far greater commitments on the US side, especially concerning its mass surveillance practices. In the eyes of the critics, the agreement is a weak compromise, containing little or no relevant changes, desperately agreed upon to replace the main legal basis for the transatlantic flow of personal data, which is of major economic importance for multinationals with data-intense activities, Facebook just being one of numerous examples.

In conclusion, it is clear that the legal vacuum left by the Schrems judgment has raised the economic and political pressure on both sides, given the mutual interest in the transatlantic flow of personal data and the ever-growing economic importance of the services connected to this flow of data. Whether the resulting agreement will be a workable compromise, capable of protecting the personal data of Union citizens across the Atlantic remains to be seen.

IV. THE NEXT STEPS

While the agreement as such has been concluded, the EU-US Privacy Shield still has a way to go before it becomes operative. Currently, the Commission is drafting an adequacy decision as provided for under Art. 25(6) of Directive 95/46/EC. Before taking this decision, the Commission has to consult the article 29 working party, which has committed to deliver its opinion by the end of March, and the so-called article 31 Committee, constituted of member state representatives.[24] In the meantime the US side will make preparations to establish the framework and monitoring mechanisms agreed upon. Notwithstanding the heavy criticism it seems likely that the Commission will take a decision giving effect to this agreement in the coming months.

It is clear that the negotiating parties have tried to address the concerns the Court of Justice had voiced in the Schrems case. However, as the agreement stands, without further clarifications of the broad and vague commitments relating to US government access to personal data, and without addition of more effective judicial remedies, the author must admit that the decision implementing the EU-US Privacy Shield seems predetermined to make a round trip to Luxembourg and back to Brussels only to be renegotiated and renamed once more.

————————————————

*Pieter Gryffroy was a reserach assistant at the Jean-Monnet-Chair of Prof. Dr. Giegerich for European Law and European Integration. He studied law in Leuven (LLB and LLM at the KU Leuven) and in Saarbrücken (Europa-Institut).

[1] http://europa.eu/rapid/press-release_IP-16-216_en.htm, accessed 15/02/2016.

[2] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650.

[3]http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf, accessed 15/02/2016.

[4] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160203_statement_consequences_schrems_judgement_en.pdf, accessed 15/02/2016.

[5] Official Journal L 281 , 23/11/1995 P. 0031 – 0050.

[6] Art. 25 (1) Directive 95/46/EC. Art. 25 (2) provides for some broad assessment criteria.

[7] See Art. 25 (4) and 25(6) of Directive 95/46/EC.

[8] Art. 25(5) Directive 95/46/EC.

[9] Art. 25(6) Directive 95/46/EC.

[10] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441), Official Journal L 215 , 25/08/2000 P. 0007 – 0047.

[11] See Annex I of Decision 2000/520/EC. The seven main principles are: notice, choice, onward transfer (requiring notice and choice), security, data integrity, access and enforcement.

[12] This follows from the limited scope of application of Directive 95/46/EC itself, in pursuance of which the Decision was taken. In its Art. 3(2) the Directive states that it does not apply to matters of public security, defence, state security and activities of the state in areas of criminal law.

[13] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 98.

[14] The matter was taken to the high court in Ireland and reached the Court of Justice through a preliminary ruling.

[15] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, paras. 38-66.

[16] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, paras. 67-98.

[17] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 96.

[18] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 106.

[19] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf, accessed 15/02/2016;The article 29 working party had agreed that should the Commission fail, the national data protection authorities would take all necessary actions, including coordinated enforcement actions, to ensure the effective protection of personal data of European citizens. It should be noted that this would have been a herculean task.

[20] http://europa.eu/rapid/press-release_IP-16-216_en.htm, accessed 15/02/2016.

[21] Congress is currently struggling, trying to rewrite some of the US’s laws on surveillance. However, it remains to be seen what will effectively change, see e.g. http://www.theguardian.com/technology/2015/jun/06/surveillance-privacy-snowden-usa-freedom-act-congress, accessed 15/02/2016. An example of legislation still allowing mass surveillance is the Foreign Intelligence Surveillance Act.

[22] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, paras. 34, 93-94.

[23] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 95.

[24] In theory, should the Committee render a negative opinion, the matter would come before the Council, which could render an opposing decision (Art. 31 Directive 95/46/EC).

Copyright of the image: Defense Advanced Research Projects Agency (DARPA), https://commons.wikimedia.org/wiki/File:DARPA_Big_Data.jpg?uselang=de.

Suggested Citation: Gryffroy, Pieter, The EU-US Privacy Shield: An Effective New Framework for Transatlantic Data Flows or A Weak Compromise Doomed to Fail?, jean-monnet-saar 2016, DOI: 10.17176/20220706-165701-0 

Your Facebook Data Just Got a Lot More Secure – Case Analysis C-362/14 Maximillian Schrems v Data Protection Commissioner

Dissecting the Safe Harbor Decision of the ECJ

[Note: For a broader overview on the topic look at our recently published Saar Blueprint by Oskar Josef Gstrein – Regulation of Technology in the European Union and beyond (10/15) which also covers the Schrems Case]

Kanad Bagchi[1]

Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” Words of Hollywood legend Marlon Brando, which to the mind of the author, most aptly epitomizes the Opinion of the Court in its Schrems decision (“Opinion”), delivered on 6th October 2015. Long-standing concessions regarding data processing and transfer between the European Union (“EU”) and United States (“US”) were summarily dismissed in the face of competing claims to the right to privacy and data protection. The Court declared that Commission Decision 2000/520 (“Decision”) recognizing the equivalence of US data protection mechanisms, fails to ensure ‘an adequate level of protection’ for EU citizens, as mandated under Directive 95/46/EC (“Directive”), EU’s principle data protection law. Further, the Court reserved the powers of a Member State National Supervisory Authority to admit and examine claims against processing and transferring of data to third countries, irrespective of the European Commission (“Commission”) finding that a particular third country ensures an adequate level of protection. The Opinion is likely to derange data intensive businesses in the EU and US, compelling authorities on both sides of the Atlantic to rework existing transfer arrangement. In other words, the Opinion is arguably the strongest response to Edward Snowden’s revelations with respect to extensive surveillance and monitoring activities undertaken by US authorities in the recent past, and has already received much fanfare amongst privacy activists and the likes.

In the present post, the author dissects different aspects of the Opinion, in an attempt to produce more clarity and coherence on EU data protection rules and the Commission Decision on ‘Safe Harbor’, so as to underline the obligation of EU and member state authorities arising out of the same. The post also speculates on the immediate implications of the decision on US and EU tech firms and considers the momentous task ahead of the respective authorities.

Maximillian Schrems’s tryst with Privacy

In the backdrop of Edward Snowden’s revelations concerning mass scale Internet and phone surveillance conducted by the US National Security Agency, Mr. Schrems, an Austrian national, approached the Data Protection Commissioner in Ireland, insisting that Facebook Ireland be prohibited from transferring his personal data to the US. Schrems’s claim was rejected by the Commissioner on the grounds, inter alia, that the former was constrained from advancing a plea of ‘inadequacy of protection’ as the EU Commission through its Decision had concluded otherwise. On appeal however, the High Court reasoned that neither the Directive nor the Decision, when read in the light of both the Irish Constitution and the Charter of Fundamental Rights of the European Union (“Charter”), prevents national supervisory authorities from examining, in limine, a claim contesting the adequacy of protection afforded to his personal data in the third country. Finding that the above enquiry involved questions relating to the interpretation of EU law, the High Court thought fit to refer the questions to the ECJ for a preliminary ruling.

EU Safe Harbor rules and its context

Directive 95/46/EC has a twin set of objectives underpinning data protection within the EU and beyond. First, it provides a framework for the processing of personal data by member states of the EU and lays down certain safeguards pertaining to the same. Second, in the interest of international trade and business, it acknowledges and prescribes for a mechanism to ensure cross border free flow of personal data between EU member states and third countries. For the purposes of its second objective, and with which the author is most acutely concerned, the Directive prescribes for certain core principles (“safe harbor principles”) that ought to govern MS discretion in the transfer of personal data beyond EU borders. Article 25 of the Directive, inter alia, provides that a member state in approving such transfer of personal data is to satisfy herself that “…the third country in question ensures an adequate level of protection…” after considering all “…the circumstances surrounding a data transfer…” In this regard, if the Commission gathers that a third country falls short of providing for an ‘adequate level of protection’, member states ought to implement measures “…necessary to prevent any transfer of data of the same type to the third country in question…” Likewise, if the Commission finds that a third country ensures an ‘adequate level of protection’, member states are to similarly take measures in pursuance of the same.

To ensure the proper implementation of the above-mentioned principles, the Directive calls for the establishment of independent National Supervisory Authorities (“supervisory authorities”) within each member state, endowed with an extensive set of powers. For instance, MS are to consult their respective supervisory authorities while formulating internal measures to give effect to the Directive. Further, such authorities have the power to investigate and access data pertaining to processing and transfer, deliver opinions with respect to processing operations, and also the power, if not the obligation, to agitate through legal means before national courts, the incorrect or improper implementation of the Directive by member state authorities. EU citizens may approach supervisory authorities and lodge claims “…concerning the protection of his rights and freedoms in regard to the processing of personal data…”, and have the right to be informed of the outcome of their claim. In essence, a whole gamut of responsibilities relating to supervision and monitoring the implementation of the Directive has been conferred on national supervisory authorities.

In pursuance of its powers under the Directive, the Commission adopted Decision 2000/520 certifying that processes and mechanisms established by the US authorities ‘ensures’ an adequate level of protection of personal data transferred from the EU. In this regard, the Commission relied on a system of self-certification and public disclosure by organizations within the US, of their intent and willingness to abide by the safe harbor principles. The framework for the above mentioned process was implemented in accordance with the guidance provided by the US Department of Commerce through frequently asked questions. By way of derogation however, the applicability of the safe harbor principles to US organizations could be circumscribed so far as it is “…necessary to meet national security, public interest, or law enforcement requirements…”. It is important to note that the Decision was adopted in the year 2000, representing a state of affair dating back fifteen years and has remained unaffected since.

Ruling of the Court

The Court decided two sets of questions, namely, first, whether the powers of National Supervisory Authorities were constrained as a result of the Commission Decision on adequacy levels in the US and second, whether the Commission Decision was valid under extant rules of EU law.

At the outset, the Court observed that the Directive and its provisions ought to be interpreted in the light of Charter, especially Article 7 (privacy) and 8 (data protection), in as much as processing and transferring of data is liable to intrude into the Charter rights. Art. 28 (1) of the Directive therefore required member states to establish independent supervisory authorities tasked with the mandate to monitor the former’s compliance with EU law. Towards that end, the Court noted, supervisory authorities derive their power and competence directly from “…primary law of the European Union…” and operate independently to that of the Commission Decision. In the same breath, the Court determined that a Commission Decision adopted in pursuance of the Directive does not foreclose the power of the supervisory authority from examining claims relating to processing of personal data. If upon such examination, it appears that claims relating to the violation of Art. 7 & 8 of the Charter or the principles stated in the Directive are plausible, the supervisory authority ought be in a position to challenge the same in the courts of the member states, which in turn ought to refer the question to the ECJ through the preliminary reference procedure. Thus, in effect, the Court ruled that a determination by the Commission of the adequacy or inadequacy of a third country regime in protecting the rights of the individual does not prevent supervisory authorities from entertaining claims pleading to the contrary.

Although the High Court did not specifically raise the question of validity of the Commission Decision, the ECJ after perusing through the scheme of the safe harbor regime, concluded that “…until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision…” Hence, it became imperative for the Court to examine the validity of the Commission Decision as against both the requirements of the Directive and the Charter.

While the Directive allows the Commission to conclude that “…a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments…” it admittedly does not define either the content or the standard in determining the adequacy of protection afforded by the third country’s regime. Under such circumstances, the Court reasoned that ‘adequate protection’ ought to mean ‘essentially equivalent’ if not ‘identical’ to the protection afforded to citizens in the EU.

In this regard, the Court found that the system of self-certification could only constitute a reliable measure of adequacy if the same was backed by mechanisms to identify and punish errant US organizations. The Commission Decision however, to the mind of the Court, did not contain “sufficient findings” with respect to any such mechanism employed by the US to ensure an adequate level of protection. Moreover, a turning point for the Court was its finding that the safe harbor principles were to govern, albeit voluntarily, the conduct of US organizations only, without having a consequent binding effect on the US public authorities. Therefore, the Decision admitted of the possibility of the safe harbor principles and its applicability being limited by state authorities in the interest of national security or public interest. Consequently, the Court examined that the Decision was silent with respect to specifying either any limits to such state interference or to the existence of effective legal protection against the same. While EU law, interpreted in the light of the Charter and the Court’s prior rulings, limit state interference to what is “strictly necessary”, the Decision allows US authorities to store all personal data on a “generalized basis”. Such general collection and processing of data, without the possibility of an effective remedy, the Court declared, constitutes an infraction of the rights guaranteed under the Charter, including Articles 7, 8 and 47 (effective judicial protection), thereby affecting the validity of the Commission Decision.

In addition, the Court declared invalid Article 3 of the Decision in so far as it restricted the powers of the national supervisory authorities to entertain claims relating to the adequacy of protection enshrined under third country rules on data protection.

Further Comments

The Schrems decision mirrors Advocate General Bot’s opinion in most parts, barring however, some minor deviations (for a fuller enquiry here). In essence, the ECJ ruled that the present standard of protection afforded by the US does not match up to that of the EU and hence, US companies cannot be trusted with personal data belonging to EU citizens. Whether good wisdom prevailed on the Court, depends on which side of the debate one finds oneself on. Indeed, the Court conveniently assumed certain regulatory and administrative artifacts of the US system, without having provided US officials with the opportunity to be heard on the matter. Moreover, as pointed out, incessant reliance was placed by the Court, on outdated Commission reports suggesting a less rigorous approach towards the preservation of individual liberties in the US. Therefore extreme criticism has been leveled against the Court in condemning an entire system of rules and regulations on the basis of presumptuous evidence. Also the Court’s insistence on a standard of ‘adequacy’ resting on “essentially equivalent” rather than “identical” is neither precise nor helpful, leaving much to judicial oversight and less to bureaucratic discretion. While the Court did not find the process of ‘self-certification’ to be inherently repulsive to the idea of equivalent protection, it nonetheless emphasized that such certification alone was inadequate in the absence of consequent enforcement of the same. It begs the question as to whether the US authorities will now have to commission independent bodies much like the national supervisory authorities in the EU, to constantly monitor the implementation of the safe harbor principles.

Where has the decision left State authorities and Private corporations?

The EU and the US were already undergoing negotiations for a review of the Decision in the aftermath of the Snowden revelations, and it is reasonable to suggest that the Commission will have to seek more far reaching commitments from the US authorities than were previously estimated. Considering the differing standard of protection afforded to privacy rights in the EU and the US, a new agreement on the subject is likely to be long drawn and tiresome. In the meanwhile, personal data transfer for US companies is definitely going to get more cumbersome and costly, as the process of transfer would be largely governed by 28 different national rules on the subject, with each displaying varying degrees of bureaucratic skirmishes. Although there are reports suggesting that certain companies in anticipation of the decision, had already started reviewing their transfer policies, including considering moving to options like model contract clauses and binding corporate rules, the situation is a far cry from ‘business as usual’, especially for small and medium enterprises.

That apart, the Opinion has received a favorable response from privacy activists and human rights groups, especially in the light of the Court’s insistence that mass surveillance and indiscriminate sourcing of personal data constitutes a violation of the Charter rights. Further, as a result of the Opinion, supervisory authorities are likely to exercise a more active role in accessing the cross border transfer of data, which only adds yet another layer of protection to personal data. Privacy advocates are already anticipating that in the long run, European citizens may be able to contend that their data be stored and processed only within the borders of EU, much like the recent Russian agenda. Nonetheless, as things stand today, the clock has been turned back several years and much has been left to chance and uncertainty.

[1] Kanad Bagchi (kanad.bagchi@gmail.com) is an MSc Candidate in Law and Finance at the Faculty of Law, University of Oxford, UK. Formerly, he was a research assistant at Europa-Institut, Universität des Saarlandes, Germany.

Suggested Citation: Bagchi, Kanad, Your Facebook Data Just Got a Lot More Secure: Case Analysis C-362/14 Maximillian Schrems v Data Protection Commissioner, jean-monnet-saar 2015, DOI: 10.17176/20220308-174158-0

Regulation of Technology in the EU and beyond – General Data Protection Regulation, Safe Harbor (C-362/14), Data Retention and more

Saar Blueprint features analysis of Safe Harbor Decision „Maximillian Schrems v Data Protection Commissioner“ (C-362/14) and other recent developments

The most recent publication in our Saar Blueprint series has the title „Regulation of Technology in the EU and beyond – The state of play in autumn 2015.“ The analysis features the state of play in the negotiations on the General Data Protection Regulation, a comment on the Safe Harbor Decision (C-362/14) and the Umbrella agreement, an overview on recent developments in Data Retention and more.

You can download the text via this link. We wish you pleasant reading!