Mathias Cheung (@MathiasCheung)
The CJEU hands down a landmark judgment in Case C-362/14 Schrems v Data Protection Commissioner, holding that the “Safe Harbour” arrangement between the US and the EU is unlawful and contrary to EU data protection law. This decision will have a huge impact on social media providers and companies like Facebook which have habitually been transferring data of European citizens to US servers for storage.
DATA PRIVACY DIRECTIVE
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Data Privacy Directive“) required Member States to ensure that transfer of personal data to a third country would only take place if there is an adequate level of protection in that third country, by assessing such protection in the light of all the circumstances: Article 25(1)-(2). Each Member State had to establish an independent supervisory authority to monitor and investigate the level of protection, hear claims from individuals, and intervene if there is an infringement of privacy: Article 28.
The Commission is entitled under Article 25(6) to adopt decisions finding that a third country ensures an adequate level of protection, and this is generally binding on Member States as a matter of EU law. There are limited circumstances in which a Member State may derogate from Article 25 and allow data transfers despite inadequate protection e.g. the data subject consents, or it is necessary on public interest grounds: Article 26.
The process for adequacy decisions under Article 25(6) has been described as “slow and cumbersome“, with only 12 decisions issued in 17 years, affording “uneven protection for individuals” according to a Commission Communication. There are thus plans to replace the current regime with a proposed General Data Protection Regulation (“GDPR“).
COMMISSION DECISION 2000/520
The Commission issued Decision 2000/520 on the basis of Article 25(6) of the Data Privacy Directive. It provides that US companies may self-certify themselves as complying with the “Safe Harbour Principles” and “Frequently Asked Questions”, which would entitle them to the presumption of “adequacy” of privacy protection: Article 1. Member States could only suspend data flow to these US companies if the US government found an infringement of the Principles, or there is a substantial likelihood that there is a violation: Article 3. The Commission can adapt Decision 2000/520 in the light of implementation and the level of protection in the US: Article 4.
The Safe Harbour Principles are subject to a few exceptions, notably national security, public interest and conflicting obligations under US law. There is no official enforcement mechanism for an aggrieved person in the EU to complain about a breach of data privacy to the US government or Federal Trade Commission, nor to recover compensation for such a breach: see FAQ 11 annexed to Decision 2000/520.
THE LEGAL PROCEEDINGS
The CJEU decision arises from a claim brought by Max Schrems, an Austrian law student and data privacy campaigner, in the High Court of Ireland. He challenged the decision of the Data Privacy Commissioner in Ireland rejecting his complaint against the use of his data by Facebook under the Safe Harbour arrangements, which transfers a large amount of personal data from the EU to servers in the US for storage. The complaint was based on Edward Snowden’s NSA leaks showing that EU data is vulnerable to surveillance by the US government using the PRISM programme.
The High Court considered that Schrems was essentially challenging the lawfulness and hence validity of Decision 2000/520, stayed the proceedings accordingly and referred the question to the CJEU.
The CJEU, essentially following the Opinion of Advocate General Bot handed down last month, held that:
(1) a national supervisory authority could investigate the adequacy of the Safe Harbour Principles;
(2) the Commission’s discretion in finding a third country’s data protection adequate is reduced in the light of the right to respect for one’s private life and protection of personal data enshrined by Articles 7 and 8 of the Charter of Fundamental Rights of the EU (“EUCFR“);
(3) the Commission failed to ensure that the level of protection in the US is adequate, in accordance with the Data Privacy Directive, and Decision 2000/520 is therefore invalid.
INCREASING HUMAN RIGHTS PROTECTION
The Schrems judgment becomes the latest instalment in a line of recent (and often controversial) CJEU decisions considering the Data Privacy Directive and increasing protection of data privacy within the EU.
In April 2014, the CJEU declared in Joined Cased C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others that the Data Retention Directive is disproportionate and thus invalid because of its generalised and indiscriminate nature, lacking any safeguards from abuse.
In May 2014, the CJEU found in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González that there is a “right to be forgotten” and Google as the data handler has to consider requests from individuals to remove certain links from search results.
The CJEU reiterated the emphasis on data privacy and the EUCFR at paragraph 39 (citing Digital Rights Ireland at paragraph 53 and Google Spain at paragraphs 53, 66, 74):
“It is apparent from Article 1 of Directive 95/46 and recitals 2 and 10 in its preamble that that directive seeks to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms. The importance of both the fundamental right to respect for private life, guaranteed by Article 7 of the Charter, and the fundamental right to the protection of personal data, guaranteed by Article 8 thereof, is, moreover, emphasised in the case-law of the Court.”
The Court thus concluded at paragraph 66 that national supervisory authorities must be able to independently examine claims by individuals concerning the protection of their fundamental rights and freedoms from laws and practices in a third country. It further held at paragraph 78 that the Commission’s exercise of its discretion must be strictly reviewed, “in view of, first, the important role played by the protection of personal data in the light of the fundamental right to respect for private life and, secondly, the large number of persons whose fundamental rights are liable to be infringed where personal data is transferred to a third country not ensuring an adequate level of protection“.
In this post-Snowden era, the CJEU has positioned the EU in the avant garde of data protection and privacy, taking over a province once reserved for the European Human Rights Court in Strasbourg, which held in cases like Amann v Switzerland (2000) 30 EHRR 834 at paragraphs 68-70 that the storage of a person’s data, even if not sensitive or actually used, constitutes an interference with the right to private life under Article 8 ECHR (analogous to the CJEU’s stance at paragraph 87, following Digital Rights Ireland at paragraph 33). In relation to state surveillance, there is also a long line of Strasbourg decisions from Malone v United Kingdom (1984) 7 EHRR 14 to Liberty v United Kingdom (2009) 48 EHRR 1 holding that surveillance by the UK government is unlawful.
In this respect, the CJEU has gone a massive step further than its Strasbourg counterpart and increased protection of those resident in the EU (and hence the UK) from surveillance by the US authorities, a result which could not be achieved under the ECHR as the US is not a Contracting State. From a human rights and personal data protection perspective, this is a laudable and important decision, at least in principle, for the UK and the EU as a whole.
The fact that the EU is increasingly asserting its role as an autonomous protector of human rights takes it beyond its initial ambition as an economic institution dating back to the European Coal and Steel Community. This is notwithstanding the EU’s obvious and distinct interest in asserting the primacy of its legal order, to the extent that it has effectively subjected a third country to EU legal standards and the EUCFR.
It is welcoming that a new emphasis has been developing ever since Lisbon; indeed, Article 2 TEU stresses that “the Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights”, and Article 6 gives the EUCFR the same legal status as the Treaties. We have yet to see the full realisation of the EU’s potential in furthering the protection of fundamental rights and freedoms.
WHAT EXACTLY IS “ADEQUATE”?
The CJEU acknowledged at paragraph 73 that “adequate” is not defined but signified that a third country cannot be required to afford “a level of protection identical to that guaranteed in the EU legal order”. It held, following the Advocate General’s Opinion at paragraph 141, that in order to prevent the high level of protection required by the Data Privacy Directive from being easily circumvented:
“[T]he term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter.”
This line of reasoning is not easy to follow. On the one hand, the CJEU no doubt accepts, as the Advocate General did, that “adequate” has an autonomous meaning and cannot effectively require a third country to comply with EU standards. Indeed, at paragraph 142 of his Opinion, Advocate General Bot noted that “the English word ‘adequate’ may be understood, from a linguistic viewpoint, as designating a level of protection that is just satisfactory or sufficient, and thus as having a different semantic scope from the French word ‘adéquat’ (‘appropriate’)“, although he went on to say that “the only criterion that must guide the interpretation of that word is the objective of attaining a high level of protection of fundamental rights, as required by Directive 95/46“.
In spite of the clearly laxer standard connoted by the term “adequate”, by defining “adequate” as “essentially equivalent”, it is almost impossible to escape the conclusion that the CJEU has effectively required all third countries to provide an almost identical degree of protection through the backdoor – a conclusion it has expressly rejected in the first place. This becomes eminently clear if one surveys the CJEU’s jurisprudence and draws an analogy with its use of the principle of “equivalence” in other areas.
The case law on free movement of goods is a good example, in which the CJEU has adopted the principle of equivalence in terms of “mutual recognition”: see Case 272/80 Frans-Nederlandse Maatschappij boor Biologische Producten  ECR 3277 at paragraphs 14-15. In that context, equivalence refers to a presumption that the standards in different Member States are essentially the same. To require a third country’s standards to be essentially equivalent is like treating a third country as an EU Member State.
A second example is the principle of equivalence as defined in relation to the right to damages in national proceedings for breaches of EU law. In Case C-453/99 Courage Ltd v Crehan  ECR I-6314 at paragraph 29 and Joined Cases C-295/04–298/04 Manfredi and Others  ECR I-6619 at paragraph 62, the CJEU stated that “equivalence” in procedural rights under EU law means “such rules are not less favourable than those governing similar domestic actions”. If this approach is transposed to the data privacy context, again, it is apparent that third countries’ level of protection must be almost identical and no less favourable.
Therefore, as Professor Steve Peers (University of Essex) commented, “the Court’s interpretation of the meaning of ‘adequate’ protection in third States should probably be sung out loud, to the tune of ‘We are the World’… although the Court does hint that modest differences are permissible: accepting the idea of self-certification, and avoiding the issue of whether third States need an independent DPA (the Advocate-General had argued that they did).” The CJEU has arguably set the threshold too high and missed the opportunity to flesh out more concrete guidelines on what “adequacy” means in practice. As it currently stands, the CJEU’s decision risks leaving no realistic chance for third countries to meet the standard of adequacy, stifling business relations with companies in two of the largest economies in the world, the US and China.
To be fair, it is not unprecedented for the CJEU to effectively require a third country to comply with EU law standards. Earlier in April, the CJEU in Case C-424/13 Zuchtvieh -Export GmbH v Stadt Kempten had little hesitation that the protection of animals entailed that a Member State could prohibit a lorry journey from the EU to a third country (Russia) if the portion of the journey in the third country does not comply with EU regulations, effectively applying EU standards outside EU borders. A fortiori, there is even less hesitation in Schrems to impose EU standards extraterritorially for the protection of human rights.
It may be possible to salvage this by taking a more flexible approach and see “equivalence” as a procedural principle of good governance, rather than requiring strict substantive similarity, akin to the CJEU’s approach in Case C-24/00 Commission v France (French Vitamins)  ECR I-1227 at paragraph 26, analysing equivalence as requiring procedural safeguards which are “readily accessible and can be completed within a reasonable time, and… open to challenge before the courts”. This may be a sensible via media for finding “adequacy” under the Data Privacy Directive and also the proposed GDPR.
Doctrinal purity aside, one thing is certain – the CJEU’s conclusion is correct and the level of protection in the US could not by any standard be deemed “adequate”. There is a serious lack of safeguards, if not a positive risk of infringement, under US law and policy with respect to surveillance and access to personal data, as recognised in Communications COM(2013) 846 final and COM(2013) 847 final – the CJEU recognised this at paragraph 90.
It is perhaps lamentable, however, that the CJEU merely resorted to a sweeping statement that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life“, and that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection”: paragraphs 94-95.
This is to be contrasted with the Advocate General’s in-depth analysis of US legislation and remedies at paragraphs 198-214 of his Opinion, after which he concluded that there is a “wide-ranging and serious interference” with data privacy, and there is “no effective judicial remedy to citizens of the Union” in the event of an infringement. The Advocate General’s Opinion thus sheds valuable light on the reasoning behind the CJEU’s findings.
The CJEU is correct to hold at paragraph 63 that national supervisory authorities are able to review complaints of infringements independently and assess the level of protection in a third country, despite the binding effect of the Commission’s Decision. This is mandated by Articles 25 and 28 of the Data Privacy Directive, and could not be undermined by the Decision 2000/520 which seems to limit the powers of Member States to investigating breaches by companies and not the third country itself.
It is apparent from paragraphs 60-62 that the CJEU accepts that Member States do not have the power to unilaterally declare a Commission Decision invalid nor derogate from it at will while it is still in force – only the CJEU has the power to do so. To hold otherwise would fly in the face of the case law and the primacy of EU law.
What is slightly peculiar, however, is that the CJEU took the view at paragraphs 64-65 that individuals and national authorities wishing to challenge the validity of the Commission’s Decision should bring proceedings in the national courts, so that those courts could in turn make a preliminary reference to the CJEU. There are two reasons why this position is undesirable.
First, if an individual or national authority sets out to challenge the validity of the Commission’s Decision due to the inadequacy of a third country’s level of protection, the natural route is not to bring a domestic claim in the national courts. What is sought is judicial review of an act of the Commission, a direct action under Article 263 TFEU. It is not necessary to use the preliminary ruling procedure under Article 267 TFEU. Perhaps the CJEU was hoping to avoid the need for the individual to show “direct and individual concern”, which is a notoriously high threshold, but if so, the CJEU should revisit the test and make judicial review more accessible across the board, rather than circumvent it on a case by case basis.
Secondly, Article 25(3) of the Data Privacy Directive provides that “Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection“. This appears to be the most principled and efficient way of resolving the matter, by allowing the Commission the chance to adapt its Decision to changing circumstances or even suspend its Decision if necessary (an option expressly countenanced by the Commission during ongoing negotiations with the US after the Snowden leaks). This also has the advantage of avoiding the delay and costs of litigation before the CJEU.
As Professor Peers noted, “it’s unfortunate that the Court did not consider the alternative route of the national DPA calling on the Commission to amend its decision, and bringing a ‘failure to act’ proceeding directly in the EU courts if it did not do so”. This would be something that the Commission should address expressly in the proposed GDPR.
Although, as Advocate General Bot noted at paragraph 168 of his Opinion, the CJEU’s judgment is not concerned with an individual infringement by Facebook or any company, it is clear that there would be far-reaching implications for governments of third countries and any company (not just tech startups) handling personal data from the EU and transferring it to a third country. Five related issues should be flagged up in particular.
First, there is the very real concern that in the absence of the Safe Harbour arrangement under Decision 2000/520, it would become highly burdensome, if no virtually impractical, for US companies like Facebook to operate within the EU, as they potentially require clearance from each Member State under its relevant laws, and there would not be a uniform EU standard in the meantime. As Professor Lorna Woods (LSE) pointed out, “What will happen to uniformity in the EU? Different Member States may well take different views. This should also be understood against the Weltimmo judgment of last week, according to which more than one Member State could have the competence to regulate a multinational business (irrespective of where that business has its registered office in the EU)“.
Secondly, the CJEU’s judgment has left a legal vacuum exposing US companies previously within the Safe Harbour to infringements and liability in individual Member States. Professor Christopher Kuner (University of Brussels) suggested that “the Court could have required reform of the Safe Harbor while still upholding fundamental rights, such as by adopting a Solange approach coupled with a demand to make improvements within a certain time period“. Unfortunately, this was not the case, and the CJEU has opted to require strict compliance with EU standards.
Thirdly, it is unclear whether US companies could rely on any of the derogations under Article 26 of the Data Privacy Directive. Public interest arguments are out of the question as mass surveillance would inevitably be held as disproportionate (as opposed to targeted surveillance of specific “suspects”). It would be difficult for Facebook to rely on users’ consent to model terms and conditions, as consent has to be explicit and freely given. As Professor Peers put it, “Would people have to consent separately to mass surveillance? […] Or could a ‘spy on me’ clause be added at the end of a long (and unread) consent form?” It would equally be unrealistic for companies handling employees’ personal data, as employees cannot be said to have “freely” consented, privacy lawyers warned.
Fourthly, the Commission cannot resolve the issue by simply adopting a new decision. The CJEU’s judgment attacks not just the lack of procedural safeguards, but the practice of mass surveillance. It is therefore incumbent on the US to address these very serious problems – by reforming its policy on mass surveillance, introducing procedural safeguards and proposing effective remedies for infringements. These are no trivial hurdles, and are unlikely to be overcome before the next Presidential election. A more plausible route is to build on the EU-US Umbrella Agreement concluded this September on protection of personal data exchanged between law enforcement agencies, and extend it to commercial data transfers, with assurances on data protection (including clear limits on data use, retention periods etc), rights to erasure/rectification and remedies enforceable by EU citizens in US courts.
Lastly, looking forward from the EU’s perspective, there are some very real issues which the proposed GDPR has to address. It would be desirable for the Commission to spell out a uniform standard of “adequacy” to minimise discrepancies between Member States, systematically define the “one-stop-shop” procedure for challenging Commission Decisions, and delineate the relationship and allocation of powers between the Commission and national supervisory authorities more specifically. So far, the GDPR does not seem to improve the process for issuing adequacy decisions, and it is imperative that greater transparency and input from stakeholders are guaranteed, in order to avoid ending up in the same sticky situation again.
Taking stock, it is encouraging that the CJEU is unafraid to uphold the fundamental right to protection of personal data, in the face of an important trading partner like the US and social media giants like Facebook. However, there is still a lot of work to be done, and the struggle is not in identifying the legal principles applicable or the fundamental rights that deserve protection, but the appropriate balance that must be struck between protection of data privacy and the need to enable companies and social media providers established abroad to continue providing useful and indispensable services within the EU.
As Věra Jourová (Commissioner for Justice, Consumers and Gender Equality) made clear in her speech “Inspiring trust: Stronger data protection rules to boost the Digital Single Market” in December 2014:
“[T]he aim of the data protection reform is a fair balance of rights: we want to empower citizens to manage their personal data while explicitly protecting the freedom of expression and of the media. We want to strengthen people’s rights while creating predictable conditions for businesses in the Digital Single Market. […] We should strive for a gold standard in data protection because we owe it to our citizens, and we owe it to our businesses.“
The Commissioner expressed on Friday in the JHA Conference that she was confident that overall agreement will be reached on the whole EU Data Protection reform by the end of the year. For now, we can only wait and see whether such optimism was warranted, and hope that the important lessons from Schrems are taken to heart.
(Photo credits: The Guardian and New York Times)