Court of Justice of the European Union: Advocate General’s Opinion in Case C - 362/14
September 23, 2015
According to Advocate General Bot, the Commission decision finding that the protection of personal data in the United States is adequate does not prevent national authorities from suspending the transfer of the data of European Facebook subscribers to servers located in the United States
The Advocate General considers furthermore that the Commission decision is invalid
The Data Protection Directive1 provides that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of data protection. The directive also provides that the Commission may find that a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is kept. Mr Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency ‘the NSA’), the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred.
The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.
In today’s Opinion, Advocate General Yves Bot takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data. He considers furthermore that the Commission decision is invalid.
The Advocate General states first of all that, in the light of the importance of the role played by the national supervisory authorities with regard to data protection, their powers of intervention must remain intact. If the national supervisory authorities were absolutely bound by decisions adopted by the Commission, which would inevitably limit the total independence to which they are entitled under the directive. The Advocate General thus draws the conclusion that, if a national supervisory authority considers that a transfer of data undermines the protection of citizens of the EU as regards the processing of their data, it has the power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision. The power conferred by the directive on the Commission does not affect the powers which the directive has conferred on the national supervisory authorities. In other words, the Commission is not empowered to restrict the powers of the national supervisory authorities.
While the Advocate General acknowledges that the national supervisory authorities are legally bound by the Commission decision, he considers, however, that such a binding effect cannot require complaints to be rejected summarily, that is to say, immediately and without any examination of their merits, in particular as the competence to find that a level of protection is adequate is one that is shared between the Member States and the Commission. A Commission decision does, admittedly, play an important role in ensuring uniformity in the conditions governing transfers that are applicable within the Member States, but that uniformity can continue only while that finding is not called into question, including in the context of a complaint which the national supervisory authorities must deal with under the investigative and banning powers that they are granted by the directive.
Furthermore, according to the Advocate General, where systemic deficiencies are found in the third country to which the personal data is transferred, the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the Charter of Fundamental Rights of the EU, which include the right to respect for private and family life and the right to the protection of personal data.
Given the doubts expressed during the present proceedings as to the validity of Decision 2000/520, the Advocate General considers that the Court should determine this issue and he comes to the conclusion that the decision is invalid. It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection. Those findings of fact demonstrate that the Commission decision does not contain sufficient guarantees. Owing to that lack of guarantees, that decision has been implemented in a manner which does not satisfy the requirements of the directive or the Charter.
The Advocate General considers furthermore that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.
According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance. Indeed, the access which the United States intelligence authorities may have to the personal data covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued. The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.
Given such a finding of infringements of the fundamental rights of citizens of the Union, according to the Advocate General the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found. The Advocate General indeed observes that, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation.
NOTE: The Advocate General’s Opinion is not binding on the Court of Justice. It is the role of the Advocates General to propose to the Court, in complete independence, a legal solution to the cases for which they are responsible. The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
2 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
3 The safe harbour scheme includes a series of principles concerning the protection of personal data to which American undertakings may subscribe voluntarily.
Source: Press release No. 106/15 - 23.09.2015 - http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf