CJEU - C-362/14 - Schrems I
| CJEU - C-362/14 Schrems I | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 25 Directive 95/46/EC Article 28 Directive 95/46/EC Article 47 CFR Article 7 CFR Article 8 CFR Decision 2000/520/EC |
| Decided: | 10.06.2015 |
| Parties: | Maximilian Schrems Data Protection Commissioner (DPC) |
| Case Number/Name: | C-362/14 Schrems I |
| European Case Law Identifier: | ECLI:EU:C:2015:650 |
| Reference from: | High Court (Ireland) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | tjk |
The court invalidated the "Safe-Harbor" Adequacy Decision which enabled data transfers to the US. The court found that the law and practices in the US did not ensure an "essentially equivalent" level of protection to the EU.
English Summary
Facts
Maximillian Schrems, an Austrian citizen, had been a Facebook user since 2008. Some of Mr. Schrems personal data had been transferred by Facebook Ireland to its servers belonging to Facebook Inc., located in the US.
Personal data transferred by undertakings such as Facebook Ireland to their parent company established in the US can be accessed by the NSA and other US security agencies in the course of a mass and indiscriminate surveillance. EU citizens have no effective rights to be heard on question of surveillance and interception of their data by the NSA and other US security agencies.
The Commission had declared data transfers to the US legal under Article 25(6) of the Data Protection Directive 95/46 (Directive 95/46) when complying with safe-harbor regime by Decision 2000/520 (the Adequacy Decision), finding the US's protection of personal data adequate in Article 1 of the decision, if the recipients adhered to so called safe harbor privacy principles. These included derogations from data protection principles for US national interests. In Article 3 of the decision the Commission heightened the threshold for DPAs to take action within the scope of Article Article 25 of Directive 95/46.
In 2013, Mr. Schrems complained to the Irish Data Protection Commissioner (DPC) seeking to prohibit these transfers, claiming that the US did not have an adequate level of protection.
When this complaint was rejected, he brought an action against the decision before the Irish High Court, which in turn referred a number of questions to the CJEU, asking in essence whether Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 CFR, must be interpreted to mean that an Adequacy Decision prevents a DPA from examining the claim of a data subject regarding transfer of personal data to that third country when it contends that the law and practices in force in the third country do not ensure an adequate level of protection.
The Advocate General's Opinion
The AG opined, that the derogations provided for in the Adequacy Decision enabling access by US authorities to data transferred to US organisations within the safe harbor regime are too general and not limited to what strictly necessary to adequately protect data from EU based persons. Thus, the AG found the US intelligence services’ access to the transferred data interfering with fundamental rights.
The AG considered, that EU citizens using Facebook are not informed that their personal data will be generally accessible to US security agencies and EU citizens have no effective right to be heard on the surveillance and interception of their data. While the AG found that there is an oversight of the US Foreign Intelligence Surveillance Court, the proceedings before it are secret and ex parte, which, in the AG’s opinion, is an interference with the rights of citizens to an effective remedy protected by Article 47 CFR.
The AG found it “extremely doubtful” that the limitations at issue may be regarded as respecting the essence of Article 7 or 8 EUCFR as they do not define grounds for the derogations by sufficient precision. Thus, the AG opined that Decision 2000/520 must be declared invalid. The AG stated, that neither private dispute resolution mechanisms or the Federal Trade Commission can challenge access by the US intelligence services to personal data transferred from the EU and that there is no independent authority capable of verifying that the implementation of the derogations is limited to what strictly necessary.
Therefore the AG found, that the Commission exceeds the limits imposed by compliance with the principle of proportionality in light of Articles 7, 8 and 52(1) EUCFR. The Adequacy Decision, according to the AG, must therefore be declared invalid since it does not ensure an adequate level of protection of the personal data transferred from the EU to the US under that scheme.
The Courts Decision
The CJEU held that the Commission's Safe Harbour decision did not prevent the DPC from examining whether the transfer of user data to the USA by Facebook should be suspended. The court found that DPAs do not have powers on the basis of Article 28 Directive 95/46 regarding processing carried out in a third country. However, the court held, that having personal data transferred from a Member State to a third country constitutes, in itself, processing of personal data and thus found the DPAs vested with the power to check whether a data transfer to a third country complies with the requirements laid down by Directive 95/46.
The court found that until a Commission's decision is declared invalid by the it, DPAs cannot adopt measures contrary to that decision as it is in principle presumed to be lawful until withdrawn, annulled or declared invalid. However the court found that Decision 2000/520 cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the DPA a claim concerning the protection of their rights and freedoms. If, the court reasoned, the DPA rejects it, the complainant must, in the light of Article 47 CFR, have access to judicial remedies. If however the DPA considers the complaint well founded, the court held, it must in accordance with Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) CFR, be able to engage in legal proceedings. Thus, according to the court, the national legislature must provide for legal remedies enabling the concerned DPA to put forward the objections before the national courts which may make a reference for a preliminary ruling.
Thus the court held that Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 CFR, must be interpreted as meaning that an Adequacy Decision, does not prevent a DPA from examining the claim of a data subject that the law and practices in force in the third country do not ensure an adequate level of protection.
Furthermore, the court found that Article 25(6) of Directive 95/46 required for the level of data protection offered a third country to be considered "adequate" it should be “essentially equivalent” to that of the EU as otherwise circumvention of Directive 95/46 would be too easy. The court held, that the Commission is obliged to assess whether a third country's domestic law or international commitments and its compliance practice afford an essentially equivalent protection and check periodically if this assessment is still correct.
The court found that the Adequacy Decision in stating that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbor principles enables interference with the fundamental rights of the persons whose personal data is or could be transferred to the US. Regarding the derogations and limitations within the Adequacy Decision the court stated - drawing on C‑293/12 and C‑594/12 - that they must apply only in so far as is strictly necessary, which is not the case where legislation generally authorises storage of all the personal data transferred from the EU to the US without any differentiation, limitation or exception. In particular, the court found that legislation permitting the public authorities' access on a generalised basis to the content of electronic communications compromises the essence of the fundamental right to respect for private life, as guaranteed by Article 7 CFR. Likewise, the court held, that legislation not providing for an individual to pursue legal remedies to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 CFR. Consequently, the court held that in including such derogations within its decision the Commission could not state that the US ‘ensures’ an adequate level of protection. Thus the court invalidated Article 1 of the Adequacy Decision, declaring the level of protection in the US adequate.
Additionally, the court found, that Article 25(6) of Directive 95/46 does not empower the Commission to eliminate or restrict the powers of the DPAs, thus Article 3 of the Adequacy Decision in restricting the DPAs to act where a data subject calls into question whether an Adequacy Decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals was exceeding the Commissions powers. Therefore the court invalidated Article 3 of the decision.
In conclusion, the court held, that as Article 1 and 3 of the decision are inseperably linked it invalidates the decision as a whole.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
