Case Summary and Outcome

The European Court of Justice struck down the transatlantic U.S.-EU Safe Harbor agreement that had been in place for 15 years and enabled companies to transfer data from Europe to the United States. U.S. companies could self-certify that they would comply with EU data protection standards in order to allow for the transfer of European data to the United States. The Court found that European data was not sufficiently protected in the United States and invalidated the decision that created the agreement. It was held that even if the U.S. companies involved were taking adequate protection measures, U.S. public authorities are not subject to the Safe Harbor guidelines and therefore European citizens’ data and privacy was at risk to U.S. government surveillance.

Facts

Maximillian Schrems, an Austrian citizen, had been a Facebook user since 2008. All of the data provided to Facebook in Ireland is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr. Schrems lodged a complaint with the Irish Data Protection Commissioner saying that in light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services such as the National Security Agency (‘NSA’), the law and practice of the United States did not offer adequate protection against surveillance by public authorities of the data transferred to that country. The Irish authority rejected the complaint taking the view that an investigation into the matters raised by Mr. Schrems was unfounded and that there was no evidence that Mr. Schrems’ personal data had been accessed by the NSA. Further, the Comissioner held that the allegations raised by Mr. Schrems would have to be determined in accordance with Decision 2000/520 – the Safe Harbor decision – and the Commission had found in that decision that the United States ensured an adequate level of protection.

The case then went before the High Court of Ireland. The High Court found that whilst electronic surveillance and interception of personal data transferred from the EU to the United States served necessary and indispensable objectives in the public interest, revelations made by Edward Snowden had demonstrated ‘significant over-reach’ on the part of the NSA and other federal agencies. It was held that Irish law precluded the transfer of personal data outside national territory unless the third country ensured an adequate level of protection for privacy and fundamental rights and freedoms and that the importance of the rights to privacy and the inviolability of the dwelling as guaranteed by the Irish Constitution, required that any interference with those rights be proportionate and in accordance with the law. It was held that mass and undifferentiated accessing of personal data is clearly contrary to the principle of proportionality and the fundamental values protected by the Irish Constitution but to be regarded as consistent with the Irish Constitution, it was necessary to demonstrate interceptions are targeted, that surveillance of certain persons or groups of persons is objectively justified in the interests of national security or the suppression of crime and that there are appropriate and verifiable safeguards. The High Court concluded that if the main proceedings were to be disposed of on the basis of Irish law alone, it would then have to be found that, given the serious doubt as to whether the United States ensures an adequate level of protection of personal data, the Commissioner should have proceeded to investigate the matters raised by Mr. Schrems in his complaint and was wrong to reject the complaint.

However, the High Court considered the case to concern the implementation of EU law. The High Court held that Decision 2000/520 did not satisfy the requirements flowing both from Articles 7 and 8 of the Charter and from the principles set out by the Court of Justice in the judgment in Digital Rights Ireland and Others . The Court noted that the right to respect for private life as guaranteed by Article 7 of the Charter and by values common to the traditions of the Member States, would be meaningless if State authorities were authorized to access electronic communications casually and on a generalized basis without objective justification based on considerations of national security or crime prevention that are specific to the individual concerned and accompanied by appropriate and verifiable safeguards.

The High Court decided to stay the proceedings and to refer the following questions to the Court of Justice for preliminary ruling:

“(1) Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Decision 2000/520 having regard to Article 7, Article 8 and Article 47 of the Charter, the provisions of Article 25(6) of Directive 95/46 notwithstanding?

(2)  Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?”

Decision Overview

Th ECJ, composed of  judges V. Skouris (President), K. Lenaerts (Vice-President), A. Tizzano, R. Silva de Lapuerta, T. von Danwitz, S. Rodin and K. Jürimäe, Presidents of Chambers, A. Rosas, E. Juhász, A. Borg Barthet, J. Malenovský, D. Šváby, M. Berger, F. Biltgen and C. Lycourgos, Judges, delivered the judgment.

The Court began it’s analysis by outlining the principles of the European Data Protection Directive: transfers of personal data to third countries ought to take place only if the third country ensures an adequate level of protection of the data; national data protection Commissions may find that an adequate level of protection exists by reason of domestic law or international commitments; and each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’). However, the Court held, the existence of a Commission decision finding that a country ensures adequate protection of personal data did not eliminate or reduce the powers available to national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. It was stressed that the directive sought to “ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms.”

The Court then investigated whether the Safe Harbor Decision was invalid. The Court pointed out that there is no definition of the concept of an ‘adequate level of protection’ but noted that it did not require a level of protection identical to that guaranteed in the EU legal order. Nonetheless, it did require that by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU. It was held that the complained of system of self-certification was not in itself contrary to the requirements for an adequate level of protection, but that “the reliability of such a system, in the light of that requirement, is founded essentially on the establishment of effective detection and supervision mechanisms enabling any infringements of the rules ensuring the protection of fundamental rights, in particular the right to respect for private life and the right to protection of personal data, to be identified and punished in practice.”

The Court observed that the principles of safe harbor scheme applied only to self-certified U.S. organisations receiving personal data from the European Union, and U.S. public authorities were not required to comply with them. Furthermore, it was held that the safe harbor decision did not contain sufficient findings regarding the measures by which the United States ensured an adequate level of protection by reason of its domestic law or its international commitments. Examining the EU level of protection of fundamental rights and freedoms, the court stated that any interferences required clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, which were needed even more when personal data was subjected to automatic processing and there was a significant risk of unlawful access to that data. In addition, protection of the fundamental right to respect for private life at EU level requires derogations and limitations to the protection of personal data to apply only when strictly necessary. In contrast, the court noted that Decision 2000/520 allowed that any national security, public interest and law enforcement requirements of the United States prevailed over the safe harbor scheme and U.S. organisations were bound to disregard, without limitation, the protective rules of the scheme when they conflicted with such requirements. Thus, the Court held, the U.S. safe harbor scheme enables interference, by U.S. public authorities, with the fundamental rights of persons. Legislation permitting public authorities to have access on a generalized basis to personal data, the Court held, undermined the essence of the fundamental right to respect for private life: “To establish the existence of an interference with the fundamental right to respect for private life, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference.”

Finally, the Court held that the Safe Harbor Decision denied national supervisory authorities their powers granted by Article 25 of Directive 95/46 to ‘take action to ensure compliance with national provisions… suspend data flows to an organisation that has self-certified its adherence to the [principles of Decision 2000/520]’  when a person calls into question whether a decision is compatible with the protection of the privacy and fundamental rights and freedoms of individuals.

For all the above reasons, the Court declared the Safe Harbor Decision invalid.