Simon McGarr, solicitor at McGarr solicitors
Last week, the CJEU held a hearing in the important case of Schrems v Data Protection Commissioner,
which concerns a legal challenge brought by an Austrian law student to the
transfers of his personal data to the USA by Facebook, on the grounds that his
data would be subject to mass surveillance under US law, as revealed by Edward
Snowden. His legal challenge was actually brought against the Irish data
protection commissioner, who regulates such transfers pursuant to an agreement
between the EU and the US known as the ‘Safe Harbour’ agreement. This agreement
takes the form of a Decision of the European Commission made pursuant to the EU’s
data protection Directive, which permits personal data to be transferred to the
USA under certain conditions. He argued that the data protection authority has
the obligation to suspend transfers due to breaches of data protection
standards occurring in the USA. (For more detail on the background to the case,
see the discussion of the original Irish judgment here).
The following summarises the arguments made at the hearing by the
parties, including the intervening NGO Digital Rights Ireland, as well as
several Member States, the European Parliament, the Commission and the European
Data Protection Supervisor. It then sets
out the question-and-answer session between the CJEU judges (and
Advocate-General) and the parties. The next step in this important litigation
will be the opinion of the Advocate-General, due June 24th.
Please note: these notes are presented for information purposes only. They are not an official record or a verbatim account of the hearing. They are based on rough contemporaneous notes and the arguments made at the hearing are paraphrased or compressed. Nothing here should be relied on for any legal or judicial purpose, and all the following is liable to transcription error.
Please note: these notes are presented for information purposes only. They are not an official record or a verbatim account of the hearing. They are based on rough contemporaneous notes and the arguments made at the hearing are paraphrased or compressed. Nothing here should be relied on for any legal or judicial purpose, and all the following is liable to transcription error.
Schrems v Data Protection Commissioner
Case C-362/14
Judges:
M.V Skouris (president); M.K. Lenaerts (Vice President); M.A. Tizzano; Mme
R. Silva de Lapuerta; M. T. Von Danwitz (Judge Rapporteur); M. S. Rodin; Mme K.
Jurimae; M. A Rosas; M. E. Juhász; M. A. Borg Barthet; M. J. Malenovsky; M. D.
Svaby; Mme M. Berger; M. F. Biltgen; M. C. Lycourgos; M. F. Biltgen
M. Y. Bot (Advocat General)
Max Schrems
Noel Travers SC for Mr. Schrems told the court that personal data in
the US is subject to mass and indiscriminate mass surveillance. The DRI v Ireland case struck down the EU data
retention directive, establishing a principle which applies a fortiori to this case. However, the
court held that Data Retention did not affect the essence of the right under
Article 8, as it concerned only metadata. The surveillance carried out in the
US accesses the content of data as well as the metadata, and without judicial
oversight. This interference is so serious that it does violate the essence of
Article 8 rights, unlike the data retention directive. Mr. Travers held that
the Safe Harbour decision is contrary to the Data Protection directive’s own
stated purpose, and that it was accordingly invalid.
Answering the Court’s question as to whether the decision precludes an
investigation by a Data Protection Authority (DPA) such as the Irish Data
Protection Commissioner, he submitted that compliance with fundamental rights
must be part of the implementation of any Directive. Accordingly, national
authorities, when called upon in a complaint to investigate breaches must have
the power to do so.
Article 25.6 of the data protection Directive allows for findings on
adequacy regarding a third country “by reason of its domestic law or of the
international commitments it has entered into”. The Safe Harbour Principles (SHPs)
and FAQs are not a law or an international agreement under the meaning of the
Vienna Convention. And the SHPs do not apply to US public bodies. The Safe
Harbour Principles are set out in an annex to a Commission Decision, but that
annex is subject to US courts for interpretation and for compliance. Where
there is a requirement for compliance with law, it is with US law, not EU law.
Irish Data
Protection Commissioner
For the Data Protection Commissioner, Mr. Paul Anthony McDermott said
that with power must come limitations. All national regulators are firstly
bound by domestic law. The Data
Protection Commissioner is also bound by the Irish Constitutional division of
powers. She cannot strike down laws, Directives or a Decision.
Mr. Schrems wanted to debate Safe Harbour in a general way- it wasn’t
alleged then that Facebook was in breach of safe harbour or that his data was
in danger. The Irish High Court had a limited Judicial Review challenge in
front of it. Mr. Schrems didn’t challenge Safe Harbour, or the State, or EU law
directly, and the Irish High Court declined the application by Digital Right
Ireland to refer the validity of the Safe Harbour Decision to Luxembourg. Mr.
McDermott asked the court to respect the parameters of the case.
Europe has decided to deal with the transfer of data to the US at a
European level. The purpose of the Safe Harbour agreement is to reach a
negotiated compromise. The words “negotiate”, “adapt” and “review” appear in
the Decision. It is clear therefore that a degree of compromise is envisaged.
Such matters are not to be dealt with in a court but, as they involve both
legal and political issues, by diplomacy and realpolitik.
The Data Protection Commissioner can have regard to the EU Charter of
Fundamental Rights when she’s balancing matters but it doesn’t trump
everything. It doesn’t allow her to ignore domestic law or European law, Mr.
McDermott concluded.
Digital Rights
Ireland
For Digital Rights Ireland (DRI), Fergal Crehan BL said that while it
was clear that the Decision permits some member states, under existing
legislation, to question the adherence of individual organisations to the Safe
Harbour Principles, that the Decision purported to require Member states to
accept it as a full and final determination as to the adequacy of the law and
practices of the United States of America. In this regard at least DRI agreed
with the submissions of the Commission. However, the Decision in fact could not
require member states to do so. Citing Case 34/78 Yoshida, and related cases, he said that the Decision was
clearly an item of tertiary
legislation, relying on the Directive for its legitimacy. It follows that the
Decision must comply, not only
with the Charter, but also with the Directive from which it takes its being.
The law of the EU requires independent supervision of the
Fundamental Right to Data Protection. This is established in Article 8.3 of the
Charter, and fleshed out in the Directive, particularly at Article 28.
Accordingly, by purporting to abridge this supervisory power, it is the SHD
which runs contrary to the norms of primary and secondary EU law, and therefore it is the SHD which must
yield.
To the Court’s question as to whether such powers can be made subject to requirements such as those at 3(1)(b)
of the Decision, he give a similar answer. The powers granted to Data Protection
Authorities in the Directive cannot be limited by a Decision, where that
Decision is made on foot of the Directive, without inverting the
hierarchical norms of the EU legal order. Insofar as the Decision purports to
do so, it was invalid.
Turning to the Court’s question as to whether the Decision be reviewed, under Article 46
of Regulation 45/2001, by the European Data Protection Supervisor (EDPS),
he noted that Article 41 of that Regulation sets out the EDPS' remit as not only the "processing of
personal data by
a Community institution or body", but also advising Community institutions
on all matters concerning the
processing of personal data.
To the court’s question as to whether a
decision on adequacy was limited to an examination of laws and international
agreements, he noted that the Directive provides that “The adequacy of the level of protection
afforded by a third country shall be assessed in the light of all the circumstances surrounding a
data transfer operation”
Accordingly, the Commission must consider the adequacy of practice
as well as law. It would be both absurd and entirely inadequate to the
requirements of the Directive were the Commission to simply open the statute
book of a third country, and assess adequacy solely on the basis of a legal
order which might not correspond to reality.
In the judgment of this Court in NS v Secretary of State for the Home Department, it was held,:
“a third country can only be considered as a
‘safe third country’ where not only has it ratified the Geneva Convention and
the ECHR but it also observes
the provisions thereof.
It was further held in NS
that mere ratification of
conventions by a Member State cannot result in the application of a conclusive
presumption that that State observes those conventions. The same
principle is applicable both to Member States and third countries
Echoing Mr. Schrems, DRI submitted that an “adequate
level of protection” must include effective judicial protection, noting that
the Charter of Fundamental Rights provides, at Article 41 for the Right to Good
Administration, and at Article 47 for the Right to An Effective Remedy.
However, FAQ 11 of the SHD offers organisations a choice of
enforcement mechanisms, none of which involve submission to “an independent and
impartial tribunal previously established by law” as required by the Charter.
Even where options 2 or 3 set out in FAQ 11 could be said to satisfy the
Charter requirement, the fact that they are optional, and may be shunned by the
Safe Harbour Organisation in favour of option 1, a private sector mechanism,
chosen and paid for by the Safe Harbour Organization, meant the Decision fails
to provide effective independent judicial protection.
DRI also noted that while data subjects may make complaints to the
US Federal Trade Commission, the FTC is not obliged to investigate them, and
has never done so on even one occasion. This weakness of the Decision in the
area of Enforcement was the subject of constant criticism by the Article 29
Working Party [the advisory body set up by the data protection directive] at
every stage in the evolution of the Safe Harbour Agreement.
Mr. Crehan noted that the Decision does not require Safe Harbour
Organizations to comply with the Safe Harbour Principles in practice. Rather it
states, at article 1.3, that where an organization self-certifies, certain
conditions shall be considered to
have been met. The key condition is that the organisation receiving the data
has disclosed its commitment to
comply with the Safe Harbour Principles. The Commission notably did not take
the perhaps more logical approach of making compliance itself a condition under
Article 1.2. The effect of this formulation is that an organisation is deemed compliant by reason solely of its making a commitment to comply. The decision,
he said, was not a "finding", in the everyday sense of that word; it
was simply a decision to cease looking.
The findings of the Commission in its
Communications on the functioning of Safe Harbour were findings, in
the true and literal sense of the word. These ran contrary to that which the
Commission purported to “find”, in the Safe Harbour Decision. The result was an
extraordinary state of affairs where a “finding” was being defended in the very
face of the commission’s own later findings to the contrary.
DRI acknowledged the difficulties that might be caused by a state
of affairs where each and every national authority was to make its own
intervention, each perhaps coming to different conclusions, and submitted that
the EDPS might be best placed to intervene in a coordinating role.
Irish
government
For the Republic of Ireland, Mr. David Fennelly BL submitted that the
Safe Harbour Decision is binding on the Member States and remains binding while
it is in force. Article 25 of the Directive must be read in a holistic way. The
protection of personal data must be safeguarded in an appropriate way, but that
there can be variations in the means of safeguarding. In regulating EU data
beyond the borders, the EU can’t unilaterally impose its standards on third
countries. That’s why Article 25 does not require “equivalent” level of
protection, but an “adequate” level of protection.
Ireland noted with concern the Commission’s findings regarding the
working of Safe Harbour, but also noted that the Commission did not think these
were sufficiently serious to justify them either repealing or suspending the
Decision.
The scheme created under Article 25 says that findings must be made
through negotiations, and Member States are bound by the positive adequacy
finding and can’t make any findings or do anything which would undermine the
Commission’s negotiations.
Belgium
Counsel for Belgium submitted that there is no hierarchy of norms within the Directive,
placing Chapter 4, which provides for the Safe Harbour Decision, above Chapter
6, which provides for the powers of DPAs. Chapter 6 is a general chapter which
may be supplemented by chapter 4 but is not necessarily subordinate to it. The
independence of national supervisory authorities is vital. The primary goal of
the adequacy decision is to bring legal certainty. The Decision has no temporal
limit, and while circumstances can change, there was no requirement to review
the Safe Harbour Decision in the light of those new circumstances.
A member state, Belgium submitted, must not make an interpretation of
their domestic law that is in defiance of the EU Charter Rights. So protection
of Charter Rights might require that any limitations on DPAs be negated.
Austria
Counsel for The Republic of Austria noted that adequacy decisions are
not directly applicable under EU Member States’ law, but are rather directed to
Member States, requiring them to take necessary measures. Art 25.6 of the
Directive doesn’t contain any express requirement on the Commission to act in
the light of ongoing circumstances. However, other forms of EU law place an
implicit requirement on the Commission to review matters. If the Commission
doesn’t act, the adequacy decisions can be looked at by national supervisory
authorities. Article 3 of the Decision provides for an “emergency exit” by
granting powers to Data Protection authorities. But the Decision provided so
narrow an exit, with so many different requirements for it to be invoked, that the
national supervisory authorities in effect are prevented from enacting their
powers.
How should these requirements be interpreted? It can’t just be a
theoretical legal examination, but rather it needs to be a practical issue.
Contrary to Ireland’s submissions, Austria saw this not as trying to force EU
law on third parties but rather as taking EU citizens’ rights as a starting
point and seeking to have them protected. Legal and judicial protection for EU
citizens is a central issue.
There is no adequacy decision under Article 25.6 of the Directive. Safe
Harbour is not a safe harbour for EU citizens but rather a safe harbour for
data pirates. Safe Harbour has not amended US law or created any international
requirements, so there is no legal basis for the Safe Harbour Decision. It
should be repealed, though perhaps with a transitional period for legal
certainty.
Poland
Counsel for Poland referred to Digital Rights Ireland’s point that the
Decision was based on the Directive and must be interpreted in the light of the
Directive. Therefore the Decision cannot prevent national supervisors from
acting under their directive powers, as the Directive is of a higher rank so
cannot be limited by the Decision. There can be a presumption of adequacy
created by the Desicion, but the presumption must be rebuttable.
The safeguard mechanism is there to allow national supervisors to
suspend flows, but it is too limited. Supervisory authorities must be permitted
to conduct investigations, and if they find there is a problem, they must have
the right to suspend data transfer. The Directive says that the adequacy of the
protection in third countries must be considered in the light of all the
circumstances – not just the rules, but also the facts. This must include the availability of
effective judicial oversight.
Slovenia
Counsel for Slovenia also submitted that national data protection
authorities (DPAs) were not prevented from investigating by the Decision. To
ensure an adequate level of protection in third parties, the Commission is not
limited only to the assessment of legal norms but also their practical
implementation. EU citizens have got judicial protections and if there are any
breaches under Safe Harbour, there must be judicial remedies at the level of
the EU law. The Commission’s findings point to a violation of human rights in
respect of transfers and there should not be a requirement on the part of Mr.
Schrems to prove an actual breach but to show a strong possibility of a breach.
United Kingdom
Counsel for the UK submitted that Member States must take all measures
necessary to give effect to the Decision’s assessment. Article 25 of the
Directive empowers the Commission to establish a common position for the Union,
so as not to have conflicting findings. This is integral to international
relations on data to allow for international trade.
DPAs can investigate the lawfulness of data processing. However, once
the Commission has given its decision, the issue of lawfulness has been dealt
with. But examining adequacy of individual data transfers remains within the
local authorities’ remit. In this way the Directive is therefore in compliance
with the Charter.
The Commission’s findings on the functioning of Safe Harbour were
expressions of policy. They have no legal status, and there is not a requirement
to act on foot of them. Had there been such a requirement, the Commission would
have done so. Rather, they are part of an ongoing discussion on how to improve
the arrangements and this Court isn’t the right place to usurp the Commission
Decision. He also noted that if the Court did strike the Decision down, there
would be serious effect on transfers to the US risking disruption to trade.
European
Parliament
Counsel for the European Parliament noted that the Commission may make
a finding of adequacy ‘only if’ there is adequate protection. The default is a
presumption that there is not adequate protection. The Commission only creates
a presumption, which can be rebutted in the face of evidence.
The Commission cannot, by its Decision, prevent supervisory authorities
from exercising their powers under Article 28 of the Directive. The legislature
did not give any powers to the Commission under Article 28. Article 25, which
allows for the finding on adequacy, does not provide powers to restrict the
supervisory authorities.
The Commission must take into account all circumstances in determining
adequacy. It may exercising power having regard to two particular issues (law
and international commitments), but that doesn’t preclude the Commission from
taking anything else into account. Rules of law to be taken into account must
include effective judicial protection.
US law and practice allows for large scale, unnecessary and
disproportionate collection of EU data, and does not provide adequate
protection for EU citizens’ data. The Commission therefore cannot maintain
there is adequate protection. The Commission was required to suspend Safe
Harbour. They have failed to respond to the Parliament’s call to do so. The
EDPS and national authorities must and should intervene in the face of clear
evidence of a serious violation of EU rights.
Commission
Finally, Counsel for the European Commission made his submissions. He
submitted that every adequacy decision has a procedural safeguard, allowing
that suspension is permitted where a specific data transfer is not, in fact,
adequate. The limitations on DPAs in the Decision do not limit the right to
supervision under Charter Article 8.3 but rather give shape to it. The review
powers of the EDPS are only to do with data processing by EU institutions, and the
EDPS also is not empowered to review the Commission’s adequacy decisions.
In finding on adequacy, the Commission is not restricted to reviewing
the laws on the books but also the law in action. There is a requirement for
appropriate redress - taking account of different traditions in third
countries. Redress can be sought before the FTC or the Dept of Transport or US
courts or domestic courts. Echoing Ireland, counsel for the Commission argued
that ‘adequate’ does not mean ‘equivalent’.
Talks with the US are ongoing and making some progress, but they are
complex and political. The Commission cannot conclude that there is an adequate
level of protection of all data transfers made under the Safe Harbour
principles. However, the Commission must be allowed to have a margin of
discretion. It has to balance citizen’s rights with the need for legal
certainty, for trade and for the EU’s international relationships.
European Data
Protection Supervisor
Counsel for the European Data Protection Supervisor, Mr. Dockson,
stated that Safe Harbour, quite apart from current concerns regarding mass
surveillance, was adopted in the face of doubts. The Article 29 working group
have tried to make it work. However, 18 months after criticisms were issued by
the group, they remain unacted upon. Mass surveillance of the sort when the
Decision was made was not imagined. The Safe Harbour system was not designed to
allow for the level of surveillance now obtaining in the US.
Echoing counsel for Mr. Schrems, he noted that DRI v Ireland clarified when the essence to the
right to privacy was infringed. There is serious inference where there is
access to the content of the data. In DRI
v Ireland, the Court criticised the failure to require the holding of data
within the EU, under the control of an Independent data protection authority.
In the US, such protections are wholly absent.
Regarding the role of the EDPS’ authority, Mr. Dockson referred to the
European Parliament’s consideration of EDPS powers. Independence of data
protection authorities is crucial. Independence cannot be curtailed by a
Commission comitology Decision.
The improvements by the US in the coming months must be sufficient. If
there is not a positive outcome, then there is a need to suspend the Decision.
Court questioning
Counsel’s observations having finished, the Judge-Rapporteur led the
Court’s questioning.
He asked Counsel for the Commission whether the EDPS could or should
intervene if the Commission is inactive. Counsel for the Commission replied
firstly that the Commission is not inactive, and added that national
authorities cannot intervene in respect of third countries while the Commission
Decision stands.
The Advocate-General then took up the questioning. He referred to
Recital 5 of the Decision, which requires that adequacy shall be “ensured”. The
Decision itself merely states that it shall be “considered ensured”.
Per Pg 35 of the Decision, where US law provides for a breach, then
that breach is allowed. So everything that is in the Safe Harbour agreement can
be set aside by US national law? If so, how can you then plead that these
regulations ensure adequacy? Having taken some advice, counsel for the
Commission stated that what must be assessed is a situation, not just a system
of laws. The United States ensured that they would enforce the Safe Harbour
Principles.
The
Judge-Rapporteur (JR) now intervened:
There is no explicit competence given to the Commission to limit the
powers of DPAs. Article 3 does not have any bearing on adequacy.
Commission: There is a safety valve in all these adequacy decisions,
which can only be a general finding. Rules can be adequate, but their
implementation may be problematic.
JR: but you say you’re limiting the powers of the independent national
authorities. Where do you get that power?
Commission: Read Art 25 and 28 together. Adequacy decisions must be
complied with by the Member States, and the national authorities must comply.
JR: you’ve stated here that you can’t confirm today that adequacy is
respected. If this is your finding, what is the implication of recital 57? Or
isn’t it limiting your discretion? Shouldn’t you explain your justification for
continuing with the Decision?
Commission: Legal certainty is a very important consideration. There is
a lot of reliance on the Decision currently. And also we need to consider the
relations with the third party country.
JR: So, you say you’re remaining with the margin of discretion. Are you
in essence pleading that the Safe Harbour decision is not subject to Art 8.3 of
the Charter? Yes or No?
*Commission take instructions*
Commission: It is not the task of a national supervisory authority to
examine whether the Commission complies with Art 8.3 of the Charter.
JR: The answer is no?
Commission: The answer is no.
The Judge Rapporteur asked counsel for the Commission to consider
C-518/07 Commission -v- Germany where
it was held that all actions by Independent authorities must be interpreted in
the light of their duties.
After a lunch break, the questions resumed, with the Court’s
Advocate-General (AG) taking the lead.
AG: What is the meaning of “ensure”? This verb should mean ‘to make
sure that’, i.e that the third country could be obliged to do something?
Commission: Under Article 25 [of the Directive], read as a whole, it is
up to the member states to examine the adequacy of the protections. That is not
an obligation on a third country. It is an examination of a state of affairs.
However, when the Commission reaches the conclusion that there is an adequate
level of protection, it has been satisfied that sufficient data protection will
be guarantee in the future. What has happened in the case of the Safe Harbour
decision is that the US communicated a letter to the Commission. They ensured
us they would enforce the principles.
AG: A different question, re Charter Article 8.3. You said that there
was an area that was the exclusive competence of the Commission which could not
be challenged by the national authorities. In this case, how do you think
effective protection can be provided if they were not permitted to consider a
swathe of data?
Commission: Well, we can only control data protection in the EU, under
the Safe Harbour decision as it is applied. As it is currently applied, there
is no guarantee that the fundamental rights of the EU citizens are adequately
protected in the US. The Commission has taken action.
AG: Let’s imagine I’m on Facebook and I decide my rights have been
breached. But I don’t see the Commission taking action.
Commission: The Commission has analysed the facts, examined the
problems and engaged in talks with the US authorities. We were assured by the
US President in a speech that there was to be a review.
AG: - Until then, what happens?
Commission: National authorities need to take whatever actions they
need to take for individuals. There’s a lot a data is already in the US.
President Judge: This can’t be your main argument. I don’t understand
it. Because there are already violations, then the violations need to continue?
Commission: Well, there’s lots of data flowing.
President Judge: you don’t intend to change the decision, but rather to
seek to get assurances from the US?
Commission: Yes, we hope for concrete guarantees. But it’s too early to
tell.
President Judge: How long will that take? Your recommendations were
made in 2013.
Commission: There is some hope that our recommendations may be
accepted. We shouldn’t be pushed by changing the Safe Harbour situation. It
might not improve our position with the US.
AG: Perhaps my position is self-centred, but in the meantime my data is
still being transferred.
Commission: Close your Facebook account. An individual can revoke
consent.
AG: If I wish to approach a National Authority, I am not able to do so?
Commission: You can approach them and if they are restricted by article
3 of the Decision, then that Article needs to be interpreted in the light of
Fundamental Rights.
Judge Berger of Austria then addressed a question to the Counsel for
the Data Protection Commissioner
Judge Berger: Your Data Protection Authority is hopelessly understaffed
and you want to attract IT companies to site in Ireland and so are soft on data
protection, we understand from the media. Is this why the Data Protection
Authority is so willing to exercise self-restraint in exercising powers?
DPC: No, new resources have been given.
Vice President Lenearts then addressed some questions to counsel for
the Commission.
Vice President: The legality of a law must be considered in the light
of what is legal at the moment that it is made. All of this happened in the
year 2000. Irrespective of the actual form of question referred to the court,
validity has been discussed, and let’s not quarrel about semantics.
Should we 15 years later be bound by the historical case of fact
finding? Should the Commission be seen in all times after that, to be still
confirming the 2000 appraisal in the context
of all the facts known at subsequent moments.
Commission: This is novel and the court should tread carefully. The
Court has asked about “old school” validity, but also it may look and see if
there was a subsequent duty to
act.
Vice President: But a national court is looking to this court to know
the state of the law. If the Commission is not acting 15 years later, then the
court can then assess that decision?
Commission: But action does not require the removal or amendment of
Safe Harbour. The Court may not substitute its own decision as to when is the
right time to review a measure.
Judge Rodin: A question of a factual nature: What was the harm to your
client [Mr. Schrems]?
Schrems: The harm is the breach to his right to privacy.
Judge: But do you have any evidence that this happened re your client’s
data?
Schrems: No, but there is no need in case law flowing from the primary
breach to prove an individual breach.
Judge: Is the right to privacy absolute or not?
Schrems: No right is absolute except perhaps that against torture, but
there is no objective reason for access of the data in US law.
Judge: A question for the Commission, assuming that mass surveillance
took place, might there be an overriding reason for it that would mean that it
was still adequately protected?
Commission: Over-broad use of the national security exception would
damage adequacy.
There followed some brief replies from the main parties. Mr. Herwig
Hoffman for Mr. Schrems pointed out that the Commission has repeatedly stated
that it cannot now state EU citizens’ data is adequately protected. Private
companies are not bound by the Safe Harbour principles, where they clash with
any US domestic law. In order to justify itself, the Commission has said here
that the Decision does not need to comply with Art 8 of the Charter. Independence
of the national DPA contains an obligation to uphold individual rights. Article
3 of the Decision purports to fetter this independence. Striking down this Safe
Harbour agreement will only affect a couple of thousand of companies, who have
signed up to it. It will simply place all US companies in the same position as
non-Safe Harbour companies have been up until now.
Mr. McDermott for the Data Protection Commissioner said that Mr.
Schrems has not shown that he personally has been harmed in any way. That is
hardly surprising, as the NSA doesn’t care about accessing the essays of an
Austrian Law Student. The Court could take advantage of the fact that Mr.
Schrems is not being harmed to allow the Commission some time to complete
negotiations with the US. The solution is for the walls of Safe Harbour to be
built higher, not to allow the harbour to be dismantled brick by brick by
individual national authorities.
Mr. Crehan for DRI noted that Article 3 provides only for
investigations into compliance with the Safe Harbour principles. These
principles are such that even if they are complied with, this does not respect
fundamental rights.
The Commission, concluding, stated that if the Commission can find
adequacy, it can find adequacy in a conditional way also. Article 3 does not
require too narrow a reading and if they need to, national DPAs can always use
their authority under the Charter to read it as widely as they require to act
in individual cases.
However, this independence does not mean that the Data Protection
Authorities are not bound by the law and so they must accept the adequacy
Decision. A harmonised approach is necessary to ensure that different member
states may not make different findings about the US.
Case concluded. Advocate General's Opinion on 24th June.
Simon McGarr will present on aspects
of this case in a talk titled "Regulation, Litigation and the rise of Fundamental
Rights" at the forthcoming Digital Rights Europe conference, 15 April in Dublin.
No comments:
Post a Comment