toggle accessibility mode
EU safe harbor

EU/US Safe Harbor Ruled Insufficient to Protect Data Privacy

By John DiGiacomo

Mr. Maximillian Schrems is an Austrian national, living in Austria and has used Facebook since 2008.[1] On June 25, 2013, Mr. Schrems brought a complaint to the Data Protection Commissioner (the “Commissioner”) asking that the Commissioner use their statutory powers to prohibit Facebook Ireland from transferring personal data to Facebook Inc., which sits within the United States. Mr. Schrems argued that the law and practices used in the United States did not ensure adequate protection was provided of his personal data that is stored within the nation, against surveillance activities engaged in by United States (“US”) public authorities. Specific mention was made of Edward Snowden and the disclosures he provided regarding the activities of US intelligence services, specifically the National Security Agency (“NSA”).[2]

The Commissioner was of the opinion that an investigation into these matters was not necessary and thus rejected the complaint as “unfounded.”[3] The Commissioner held that Mr. Schrems’ allegations could not be properly brought anyways, because the question of adequacy of data protection in the US had been decided in accordance with Decision 2000/520, where the Commission found that the US did in fact ensure an adequate level of protection.[4]

Mr. Schrems then brought his action before the High Court and challenged the decision of the Commissioner. The High Court held that the electronic surveillance and interception of personal data that was transferred between the European Union and the United States served a “necessary and indispensable [objective] in the public interest.”[5]

Irish law does prohibit transfer of personal data outside national territory, except where the third party nation has ensured an adequate level of protection for privacy and the fundamental rights and freedoms. The Irish Constitution guarantees the importance of these rights.[6] The mass, homogenous accessing of personal data in the US is contrary to the rights.[7]

However, the High Court held that the case concerns not the application of Irish law, but of the law of the European Union. The High Court found that Decision 2000/520 did not satisfy requirements stemming from Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (the “Charter”).[8] According to the High Court, even though Mr. Schrems’ complaint does not directly contest the validity of Directive 95/46 or Decision 2000/520 by the Commission, the question is raised as to whether or not, given Article 25(6) of Directive 95/46, the Commissioner was bound by the finding in Decision 2000/520, or if Article 8 of the Charter authorized the Commissioner to investigate the claim.[9] The High Court stayed the proceedings and referred two questions to the Court of Justice for a preliminary ruling.[10] These questions have been summarized under “Issues.”

Issues

  1. Whether Article 25(6) of Directive 95/46, read in conjunction with Articles 7, 8, and 47 of the Charter, are interpreted to mean that a decision made by the Commission, such as Decision 2000/520, where the decision finds a third party nation does ensure an adequate level of protection, prevents a supervisory authority of a European Union Member State from examining the claim of a individual concerning the protection of their rights and freedoms in regards to the processing of personal data relating to him that is transferred to that third nation if the individual holds the law and practices of the third nation do not ensure an adequate level of protection.[11]

Judgment

Article 25(6) of Directive 95/46, read in tandem with Articles 7, 8, and 47 of the Charter results in a finding that decisions, such as Decision 2000/520, where the Commission finds a third party nation does ensure an adequate level of protection, does not prevent supervisory authorities of Member States from investigating claims. In this case, a claim that an individual’s rights and freedoms in regard to the processing of their personal data have been violated by the transfer to that third party nation, as a result of the law and practices in force in that nation.[12]

Article 1 of Decision 2000/520 fails to comply with requirements outlined in Article 25(6) of Directive 95/46 and when these requirements are taken in conjunction with the Charter, Article 1 is found to be invalid.[13] In the Commissions choice to adopt Article 3 of the decision, they exceeded their power granted under Article 25(6) of the directive and as a result, Article 3 is also invalid.[14] Articles 1 and 3 are inseparable from Articles 2 and 4 of the decision, and the included annexes, as such; the invalidity of Articles 1 and 3 affects the validity of the entire decision, leaving Decision 2000/520 invalid.[15]

Reasoning

  1. Powers of National Supervisory Authorities

Under Article 28(1) of Directive 95/46, Member States are required to establish one or more public authorities that will be responsible for monitoring compliance of the European Union laws regarding the protection of individuals data when said data is being processed. These authorities are to have complete independence.[16] This independence is designed to ensure there is an effective and reliable monitoring system to oversee compliance with provisions concerning the protection of individuals in relation to the processing of personal data. Any and all of their objectives and actions must be interpreted in light of this aim.[17]

Flowing from the purpose of the national supervisory authorities, they hold a wide range of powers. One of these powers is an investigative power, whereby they can collect all necessary information for the performance of their duties. They also have powers of intervention (for example imposing a temporary or definitive ban on the processing of data), and the ability to engage in legal proceedings. A non-exhaustive list of their powers is outlined in Article 28(3) of Directive 95/46.[18]

As per Article 28(1) and (6) of the Directive, the powers regarding the processing of personal data is specific to what takes place within their own Member State. As a result, supervisory authorities do not have power over the processing of data that is carried out by a third party nation.[19] However, when taken in accordance with Article 8(3) of the Charter, supervisory authorities are vested with the ability to check and confirm that a transfer of personal data from its own Member State to a third party nation complies with the requirements established by Directive 95/46.[20] As such, they have a right to consider all claims regarding the transfer and processing of data coming from their State.

  1. Validity of Decision 2000/520

Since the level of protection offered by a third party nation can change with time, it is imperative that the Commission periodically checks whether the finding from their original decision (that there is adequate protection) is still justified. Despite this ‘check’ needing to be done on a periodic basis anyways, it is crucial that it be carried out when new evidence gives rise to a doubt regarding this former decision.[21]

Decision 2000/520 provides that “national security, public interest, or law enforcement requirements” will have primacy over safe harbor principles negotiated with the European Union.[22] Based on the Commission’s own assessment, they found that US authorities were able to access personal data that was transferred from Member States to the US and their processing was “incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.”[23] Legislation in the US which permits public authorities access, on a general basis, to the content of electronic communication is viewed as compromising the essence of the fundamental right to respect for private life, provided for in Article 7 of the Charter.[24]

For the Commission to be able to adopt a decision under Article 25(6) of Directive 95/46 it must find that the third party nation does in fact ensure, by reason of domestic law or its international commitments, a level of protection of fundamental rights that are equivalent to those guaranteed in the European Union.[25] However, the Commission did not state in Decision 2000/520 that the US ensures an adequate level of protection.[26] As a result, Article 1 fails to comply with requirements set out in the Directive and is thus invalid.

Article 3 of Decision 2000/520 prevents supervisory authorities from taking action to ensure compliance with Article 25 of Directive 95/46.[27] As a result, in adopting Article 3, the Commission exceeded the power bestowed on it in Article 25(6) of the directive, when read in tandem with the Charter. Thus, Article 3 of the decision is also invalid.

Overall, it was held that national supervisory authorities do have the right and obligation to investigate claims, even when a decision has been released providing information counter to that claim. Further, Decision 2000/520 has been invalid as a whole.

[1] Para. 26.

[2] Para. 27-28.

[3] Para. 29.

[4] Id.

[5] Para. 30.

[6] Para. 32.

[7] Para. 33.

[8] Para. 34.

[9] Para. 35.

[10] Para. 36.

[11] Para. 37.

[12] Para. 66.

[13] Para. 98.

[14] Para. 105.

[15] Para. 106.

[16] Para. 40.

[17] Para. 41.

[18] Para. 43.

[19] Para. 44.

[20] Para. 47.

[21] Para. 76.

[22] Para. 86.

[23] Para. 90.

[24] Para. 94.

[25] Para. 96.

[26] Para. 97.

[27] Para. 101.

Put Revision Legal on your side

LET’S DISCUSS YOUR CASE