Sunday 29 March 2015

Do Facebook and the USA violate EU data protection law? The CJEU hearing in Schrems


 

 

Simon McGarr, solicitor at McGarr solicitors

 

Last week, the CJEU held a hearing in the important case of Schrems v Data Protection Commissioner, which concerns a legal challenge brought by an Austrian law student to the transfers of his personal data to the USA by Facebook, on the grounds that his data would be subject to mass surveillance under US law, as revealed by Edward Snowden. His legal challenge was actually brought against the Irish data protection commissioner, who regulates such transfers pursuant to an agreement between the EU and the US known as the ‘Safe Harbour’ agreement. This agreement takes the form of a Decision of the European Commission made pursuant to the EU’s data protection Directive, which permits personal data to be transferred to the USA under certain conditions. He argued that the data protection authority has the obligation to suspend transfers due to breaches of data protection standards occurring in the USA. (For more detail on the background to the case, see the discussion of the original Irish judgment here).

 

The following summarises the arguments made at the hearing by the parties, including the intervening NGO Digital Rights Ireland, as well as several Member States, the European Parliament, the Commission and the European Data Protection Supervisor.  It then sets out the question-and-answer session between the CJEU judges (and Advocate-General) and the parties. The next step in this important litigation will be the opinion of the Advocate-General, due June 24th.


Please note: these notes are presented for information purposes only. They are not an official record or a verbatim account of the hearing. They are based on rough contemporaneous notes and the arguments made at the hearing are paraphrased or compressed. Nothing here should be relied on for any legal or judicial purpose, and all the following is liable to transcription error.

  

Schrems v Data Protection Commissioner

Case C-362/14

 

Judges:

M.V Skouris (president); M.K. Lenaerts (Vice President); M.A. Tizzano; Mme R. Silva de Lapuerta; M. T. Von Danwitz (Judge Rapporteur); M. S. Rodin; Mme K. Jurimae; M. A Rosas; M. E. Juhász; M. A. Borg Barthet; M. J. Malenovsky; M. D. Svaby; Mme M. Berger; M. F. Biltgen; M. C. Lycourgos; M. F. Biltgen

 

M. Y. Bot (Advocat General)

 

Max Schrems

 

Noel Travers SC for Mr. Schrems told the court that personal data in the US is subject to mass and indiscriminate mass surveillance. The DRI v Ireland case struck down the EU data retention directive, establishing a principle which applies a fortiori to this case. However, the court held that Data Retention did not affect the essence of the right under Article 8, as it concerned only metadata. The surveillance carried out in the US accesses the content of data as well as the metadata, and without judicial oversight. This interference is so serious that it does violate the essence of Article 8 rights, unlike the data retention directive. Mr. Travers held that the Safe Harbour decision is contrary to the Data Protection directive’s own stated purpose, and that it was accordingly invalid.

 

Answering the Court’s question as to whether the decision precludes an investigation by a Data Protection Authority (DPA) such as the Irish Data Protection Commissioner, he submitted that compliance with fundamental rights must be part of the implementation of any Directive. Accordingly, national authorities, when called upon in a complaint to investigate breaches must have the power to do so.

 

Article 25.6 of the data protection Directive allows for findings on adequacy regarding a third country “by reason of its domestic law or of the international commitments it has entered into”. The Safe Harbour Principles (SHPs) and FAQs are not a law or an international agreement under the meaning of the Vienna Convention. And the SHPs do not apply to US public bodies. The Safe Harbour Principles are set out in an annex to a Commission Decision, but that annex is subject to US courts for interpretation and for compliance. Where there is a requirement for compliance with law, it is with US law, not EU law.

 

Irish Data Protection Commissioner

 

For the Data Protection Commissioner, Mr. Paul Anthony McDermott said that with power must come limitations. All national regulators are firstly bound by domestic law.  The Data Protection Commissioner is also bound by the Irish Constitutional division of powers. She cannot strike down laws, Directives or a Decision.

 

Mr. Schrems wanted to debate Safe Harbour in a general way- it wasn’t alleged then that Facebook was in breach of safe harbour or that his data was in danger. The Irish High Court had a limited Judicial Review challenge in front of it. Mr. Schrems didn’t challenge Safe Harbour, or the State, or EU law directly, and the Irish High Court declined the application by Digital Right Ireland to refer the validity of the Safe Harbour Decision to Luxembourg. Mr. McDermott asked the court to respect the parameters of the case.

 

Europe has decided to deal with the transfer of data to the US at a European level. The purpose of the Safe Harbour agreement is to reach a negotiated compromise. The words “negotiate”, “adapt” and “review” appear in the Decision. It is clear therefore that a degree of compromise is envisaged. Such matters are not to be dealt with in a court but, as they involve both legal and political issues, by diplomacy and realpolitik.

 

The Data Protection Commissioner can have regard to the EU Charter of Fundamental Rights when she’s balancing matters but it doesn’t trump everything. It doesn’t allow her to ignore domestic law or European law, Mr. McDermott concluded.

 

Digital Rights Ireland

 

For Digital Rights Ireland (DRI), Fergal Crehan BL said that while it was clear that the Decision permits some member states, under existing legislation, to question the adherence of individual organisations to the Safe Harbour Principles, that the Decision purported to require Member states to accept it as a full and final determination as to the adequacy of the law and practices of the United States of America. In this regard at least DRI agreed with the submissions of the Commission. However, the Decision in fact could not require member states to do so. Citing Case 34/78 Yoshida, and related cases, he said that the Decision was clearly an item of tertiary legislation, relying on the Directive for its legitimacy. It follows that the Decision must comply, not only with the Charter, but also with the Directive from which it takes its being.

 

The law of the EU requires independent supervision of the Fundamental Right to Data Protection. This is established in Article 8.3 of the Charter, and fleshed out in the Directive, particularly at Article 28. Accordingly, by purporting to abridge this supervisory power, it is the SHD which runs contrary to the norms of primary and secondary EU law, and therefore it is the SHD which must yield.

 

To the Court’s question as to whether such powers can be made subject to requirements such as those at 3(1)(b) of the Decision, he give a similar answer. The powers granted to Data Protection Authorities in the Directive cannot be limited by a Decision, where that Decision is made on foot of the Directive, without inverting the hierarchical norms of the EU legal order. Insofar as the Decision purports to do so, it was invalid.

 

Turning to the Court’s question as to whether the Decision be reviewed, under Article 46 of Regulation 45/2001, by the European Data Protection Supervisor (EDPS), he noted that Article 41 of that Regulation sets out the EDPS' remit as not only the "processing of personal data by a Community institution or body", but also advising Community institutions on all matters concerning the processing of personal data.

 

To the court’s question as to whether a decision on adequacy was limited to an examination of laws and international agreements, he noted that the Directive provides that “The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation”

 

Accordingly, the Commission must consider the adequacy of practice as well as law. It would be both absurd and entirely inadequate to the requirements of the Directive were the Commission to simply open the statute book of a third country, and assess adequacy solely on the basis of a legal order which might not correspond to reality.

 

In the judgment of this Court in NS v Secretary of State for the Home Department, it was held,:

 

“a third country can only be considered as a ‘safe third country’ where not only has it ratified the Geneva Convention and the ECHR but it also observes the provisions thereof.

 

It was further held in NS that mere ratification of conventions by a Member State cannot result in the application of a conclusive presumption that that State observes those conventions. The same principle is applicable both to Member States and third countries

 

Echoing Mr. Schrems, DRI submitted that an “adequate level of protection” must include effective judicial protection, noting that the Charter of Fundamental Rights provides, at Article 41 for the Right to Good Administration, and at Article 47 for the Right to An Effective Remedy.

 

However, FAQ 11 of the SHD offers organisations a choice of enforcement mechanisms, none of which involve submission to “an independent and impartial tribunal previously established by law” as required by the Charter. Even where options 2 or 3 set out in FAQ 11 could be said to satisfy the Charter requirement, the fact that they are optional, and may be shunned by the Safe Harbour Organisation in favour of option 1, a private sector mechanism, chosen and paid for by the Safe Harbour Organization, meant the Decision fails to provide effective independent judicial protection.

 

DRI also noted that while data subjects may make complaints to the US Federal Trade Commission, the FTC is not obliged to investigate them, and has never done so on even one occasion. This weakness of the Decision in the area of Enforcement was the subject of constant criticism by the Article 29 Working Party [the advisory body set up by the data protection directive] at every stage in the evolution of the Safe Harbour Agreement.

 

Mr. Crehan noted that the Decision does not require Safe Harbour Organizations to comply with the Safe Harbour Principles in practice. Rather it states, at article 1.3, that where an organization self-certifies, certain conditions shall be considered to have been met. The key condition is that the organisation receiving the data has disclosed its commitment to comply with the Safe Harbour Principles. The Commission notably did not take the perhaps more logical approach of making compliance itself a condition under Article 1.2. The effect of this formulation is that an organisation is deemed compliant by reason solely of its making a commitment to comply. The decision, he said, was not a "finding", in the everyday sense of that word; it was simply a decision to cease looking.

 

The findings of the Commission in its Communications on the functioning of Safe Harbour were findings, in the true and literal sense of the word. These ran contrary to that which the Commission purported to “find”, in the Safe Harbour Decision. The result was an extraordinary state of affairs where a “finding” was being defended in the very face of the commission’s own later findings to the contrary.

 

DRI acknowledged the difficulties that might be caused by a state of affairs where each and every national authority was to make its own intervention, each perhaps coming to different conclusions, and submitted that the EDPS might be best placed to intervene in a coordinating role.

 

Irish government

 

For the Republic of Ireland, Mr. David Fennelly BL submitted that the Safe Harbour Decision is binding on the Member States and remains binding while it is in force. Article 25 of the Directive must be read in a holistic way. The protection of personal data must be safeguarded in an appropriate way, but that there can be variations in the means of safeguarding. In regulating EU data beyond the borders, the EU can’t unilaterally impose its standards on third countries. That’s why Article 25 does not require “equivalent” level of protection, but an “adequate” level of protection.

 

Ireland noted with concern the Commission’s findings regarding the working of Safe Harbour, but also noted that the Commission did not think these were sufficiently serious to justify them either repealing or suspending the Decision.

 

The scheme created under Article 25 says that findings must be made through negotiations, and Member States are bound by the positive adequacy finding and can’t make any findings or do anything which would undermine the Commission’s negotiations.

 

Belgium

 

Counsel for Belgium submitted that there is no hierarchy of norms within the Directive, placing Chapter 4, which provides for the Safe Harbour Decision, above Chapter 6, which provides for the powers of DPAs. Chapter 6 is a general chapter which may be supplemented by chapter 4 but is not necessarily subordinate to it. The independence of national supervisory authorities is vital. The primary goal of the adequacy decision is to bring legal certainty. The Decision has no temporal limit, and while circumstances can change, there was no requirement to review the Safe Harbour Decision in the light of those new circumstances.

 

A member state, Belgium submitted, must not make an interpretation of their domestic law that is in defiance of the EU Charter Rights. So protection of Charter Rights might require that any limitations on DPAs be negated.

 

Austria

 

Counsel for The Republic of Austria noted that adequacy decisions are not directly applicable under EU Member States’ law, but are rather directed to Member States, requiring them to take necessary measures. Art 25.6 of the Directive doesn’t contain any express requirement on the Commission to act in the light of ongoing circumstances. However, other forms of EU law place an implicit requirement on the Commission to review matters. If the Commission doesn’t act, the adequacy decisions can be looked at by national supervisory authorities. Article 3 of the Decision provides for an “emergency exit” by granting powers to Data Protection authorities. But the Decision provided so narrow an exit, with so many different requirements for it to be invoked, that the national supervisory authorities in effect are prevented from enacting their powers.

 

How should these requirements be interpreted? It can’t just be a theoretical legal examination, but rather it needs to be a practical issue. Contrary to Ireland’s submissions, Austria saw this not as trying to force EU law on third parties but rather as taking EU citizens’ rights as a starting point and seeking to have them protected. Legal and judicial protection for EU citizens is a central issue.

 

There is no adequacy decision under Article 25.6 of the Directive. Safe Harbour is not a safe harbour for EU citizens but rather a safe harbour for data pirates. Safe Harbour has not amended US law or created any international requirements, so there is no legal basis for the Safe Harbour Decision. It should be repealed, though perhaps with a transitional period for legal certainty.

 

Poland

 

Counsel for Poland referred to Digital Rights Ireland’s point that the Decision was based on the Directive and must be interpreted in the light of the Directive. Therefore the Decision cannot prevent national supervisors from acting under their directive powers, as the Directive is of a higher rank so cannot be limited by the Decision. There can be a presumption of adequacy created by the Desicion, but the presumption must be rebuttable.

 

The safeguard mechanism is there to allow national supervisors to suspend flows, but it is too limited. Supervisory authorities must be permitted to conduct investigations, and if they find there is a problem, they must have the right to suspend data transfer. The Directive says that the adequacy of the protection in third countries must be considered in the light of all the circumstances – not just the rules, but also the facts.  This must include the availability of effective judicial oversight.

 

Slovenia

 

Counsel for Slovenia also submitted that national data protection authorities (DPAs) were not prevented from investigating by the Decision. To ensure an adequate level of protection in third parties, the Commission is not limited only to the assessment of legal norms but also their practical implementation. EU citizens have got judicial protections and if there are any breaches under Safe Harbour, there must be judicial remedies at the level of the EU law. The Commission’s findings point to a violation of human rights in respect of transfers and there should not be a requirement on the part of Mr. Schrems to prove an actual breach but to show a strong possibility of a breach.

 

United Kingdom

 

Counsel for the UK submitted that Member States must take all measures necessary to give effect to the Decision’s assessment. Article 25 of the Directive empowers the Commission to establish a common position for the Union, so as not to have conflicting findings. This is integral to international relations on data to allow for international trade.

 

DPAs can investigate the lawfulness of data processing. However, once the Commission has given its decision, the issue of lawfulness has been dealt with. But examining adequacy of individual data transfers remains within the local authorities’ remit. In this way the Directive is therefore in compliance with the Charter.

 

The Commission’s findings on the functioning of Safe Harbour were expressions of policy. They have no legal status, and there is not a requirement to act on foot of them. Had there been such a requirement, the Commission would have done so. Rather, they are part of an ongoing discussion on how to improve the arrangements and this Court isn’t the right place to usurp the Commission Decision. He also noted that if the Court did strike the Decision down, there would be serious effect on transfers to the US risking disruption to trade.

 

European Parliament

 

Counsel for the European Parliament noted that the Commission may make a finding of adequacy ‘only if’ there is adequate protection. The default is a presumption that there is not adequate protection. The Commission only creates a presumption, which can be rebutted in the face of evidence.

 

The Commission cannot, by its Decision, prevent supervisory authorities from exercising their powers under Article 28 of the Directive. The legislature did not give any powers to the Commission under Article 28. Article 25, which allows for the finding on adequacy, does not provide powers to restrict the supervisory authorities.

 

The Commission must take into account all circumstances in determining adequacy. It may exercising power having regard to two particular issues (law and international commitments), but that doesn’t preclude the Commission from taking anything else into account. Rules of law to be taken into account must include effective judicial protection.

 

US law and practice allows for large scale, unnecessary and disproportionate collection of EU data, and does not provide adequate protection for EU citizens’ data. The Commission therefore cannot maintain there is adequate protection. The Commission was required to suspend Safe Harbour. They have failed to respond to the Parliament’s call to do so. The EDPS and national authorities must and should intervene in the face of clear evidence of a serious violation of EU rights.

 

Commission

 

Finally, Counsel for the European Commission made his submissions. He submitted that every adequacy decision has a procedural safeguard, allowing that suspension is permitted where a specific data transfer is not, in fact, adequate. The limitations on DPAs in the Decision do not limit the right to supervision under Charter Article 8.3 but rather give shape to it. The review powers of the EDPS are only to do with data processing by EU institutions, and the EDPS also is not empowered to review the Commission’s adequacy decisions.

 

In finding on adequacy, the Commission is not restricted to reviewing the laws on the books but also the law in action. There is a requirement for appropriate redress - taking account of different traditions in third countries. Redress can be sought before the FTC or the Dept of Transport or US courts or domestic courts. Echoing Ireland, counsel for the Commission argued that ‘adequate’ does not mean ‘equivalent’.

 

Talks with the US are ongoing and making some progress, but they are complex and political. The Commission cannot conclude that there is an adequate level of protection of all data transfers made under the Safe Harbour principles. However, the Commission must be allowed to have a margin of discretion. It has to balance citizen’s rights with the need for legal certainty, for trade and for the EU’s international relationships.

 

European Data Protection Supervisor

 

Counsel for the European Data Protection Supervisor, Mr. Dockson, stated that Safe Harbour, quite apart from current concerns regarding mass surveillance, was adopted in the face of doubts. The Article 29 working group have tried to make it work. However, 18 months after criticisms were issued by the group, they remain unacted upon. Mass surveillance of the sort when the Decision was made was not imagined. The Safe Harbour system was not designed to allow for the level of surveillance now obtaining in the US. 

 

Echoing counsel for Mr. Schrems, he noted that DRI v Ireland clarified when the essence to the right to privacy was infringed. There is serious inference where there is access to the content of the data. In DRI v Ireland, the Court criticised the failure to require the holding of data within the EU, under the control of an Independent data protection authority. In the US, such protections are wholly absent.

 

Regarding the role of the EDPS’ authority, Mr. Dockson referred to the European Parliament’s consideration of EDPS powers. Independence of data protection authorities is crucial. Independence cannot be curtailed by a Commission comitology Decision.

 

The improvements by the US in the coming months must be sufficient. If there is not a positive outcome, then there is a need to suspend the Decision.

 

Court questioning

 

Counsel’s observations having finished, the Judge-Rapporteur led the Court’s questioning.

 

He asked Counsel for the Commission whether the EDPS could or should intervene if the Commission is inactive. Counsel for the Commission replied firstly that the Commission is not inactive, and added that national authorities cannot intervene in respect of third countries while the Commission Decision stands.

 

The Advocate-General then took up the questioning. He referred to Recital 5 of the Decision, which requires that adequacy shall be “ensured”. The Decision itself merely states that it shall be “considered ensured”.

 

Per Pg 35 of the Decision, where US law provides for a breach, then that breach is allowed. So everything that is in the Safe Harbour agreement can be set aside by US national law? If so, how can you then plead that these regulations ensure adequacy? Having taken some advice, counsel for the Commission stated that what must be assessed is a situation, not just a system of laws. The United States ensured that they would enforce the Safe Harbour Principles.

 

The Judge-Rapporteur (JR) now intervened:

 

There is no explicit competence given to the Commission to limit the powers of DPAs. Article 3 does not have any bearing on adequacy.

 

Commission: There is a safety valve in all these adequacy decisions, which can only be a general finding. Rules can be adequate, but their implementation may be problematic.

 

JR: but you say you’re limiting the powers of the independent national authorities. Where do you get that power?

 

Commission: Read Art 25 and 28 together. Adequacy decisions must be complied with by the Member States, and the national authorities must comply.

 

JR: you’ve stated here that you can’t confirm today that adequacy is respected. If this is your finding, what is the implication of recital 57? Or isn’t it limiting your discretion? Shouldn’t you explain your justification for continuing with the Decision?

 

Commission: Legal certainty is a very important consideration. There is a lot of reliance on the Decision currently. And also we need to consider the relations with the third party country.

 

JR: So, you say you’re remaining with the margin of discretion. Are you in essence pleading that the Safe Harbour decision is not subject to Art 8.3 of the Charter? Yes or No?

 

*Commission take instructions*

 

Commission: It is not the task of a national supervisory authority to examine whether the Commission complies with Art 8.3 of the Charter.

 

JR: The answer is no?

 

Commission: The answer is no.

 

The Judge Rapporteur asked counsel for the Commission to consider C-518/07 Commission -v- Germany where it was held that all actions by Independent authorities must be interpreted in the light of their duties.

 

After a lunch break, the questions resumed, with the Court’s Advocate-General (AG) taking the lead.

 

AG: What is the meaning of “ensure”? This verb should mean ‘to make sure that’, i.e that the third country could be obliged to do something?

 

Commission: Under Article 25 [of the Directive], read as a whole, it is up to the member states to examine the adequacy of the protections. That is not an obligation on a third country. It is an examination of a state of affairs. However, when the Commission reaches the conclusion that there is an adequate level of protection, it has been satisfied that sufficient data protection will be guarantee in the future. What has happened in the case of the Safe Harbour decision is that the US communicated a letter to the Commission. They ensured us they would enforce the principles.

 

AG: A different question, re Charter Article 8.3. You said that there was an area that was the exclusive competence of the Commission which could not be challenged by the national authorities. In this case, how do you think effective protection can be provided if they were not permitted to consider a swathe of data?

 

Commission: Well, we can only control data protection in the EU, under the Safe Harbour decision as it is applied. As it is currently applied, there is no guarantee that the fundamental rights of the EU citizens are adequately protected in the US. The Commission has taken action.

 

AG: Let’s imagine I’m on Facebook and I decide my rights have been breached. But I don’t see the Commission taking action.

 

Commission: The Commission has analysed the facts, examined the problems and engaged in talks with the US authorities. We were assured by the US President in a speech that there was to be a review.

 

AG: - Until then, what happens?

 

Commission: National authorities need to take whatever actions they need to take for individuals. There’s a lot a data is already in the US.

 

President Judge: This can’t be your main argument. I don’t understand it. Because there are already violations, then the violations need to continue?

 

Commission: Well, there’s lots of data flowing.

 

President Judge: you don’t intend to change the decision, but rather to seek to get assurances from the US?

 

Commission: Yes, we hope for concrete guarantees. But it’s too early to tell.

 

President Judge: How long will that take? Your recommendations were made in 2013.

 

Commission: There is some hope that our recommendations may be accepted. We shouldn’t be pushed by changing the Safe Harbour situation. It might not improve our position with the US.

 

AG: Perhaps my position is self-centred, but in the meantime my data is still being transferred.

 

Commission: Close your Facebook account. An individual can revoke consent.

 

AG: If I wish to approach a National Authority, I am not able to do so?

 

Commission: You can approach them and if they are restricted by article 3 of the Decision, then that Article needs to be interpreted in the light of Fundamental Rights.

 

Judge Berger of Austria then addressed a question to the Counsel for the Data Protection Commissioner

 

Judge Berger: Your Data Protection Authority is hopelessly understaffed and you want to attract IT companies to site in Ireland and so are soft on data protection, we understand from the media. Is this why the Data Protection Authority is so willing to exercise self-restraint in exercising powers?

 

DPC: No, new resources have been given.

 

Vice President Lenearts then addressed some questions to counsel for the Commission.

 

Vice President: The legality of a law must be considered in the light of what is legal at the moment that it is made. All of this happened in the year 2000. Irrespective of the actual form of question referred to the court, validity has been discussed, and let’s not quarrel about semantics.

 

Should we 15 years later be bound by the historical case of fact finding? Should the Commission be seen in all times after that, to be still confirming the 2000 appraisal in the context  of all the facts known at subsequent moments.

 

Commission: This is novel and the court should tread carefully. The Court has asked about “old school” validity, but also it may look and see if there was a subsequent duty to act.

 

Vice President: But a national court is looking to this court to know the state of the law. If the Commission is not acting 15 years later, then the court can then assess that decision?

 

Commission: But action does not require the removal or amendment of Safe Harbour. The Court may not substitute its own decision as to when is the right time to review a measure.

 

Judge Rodin: A question of a factual nature: What was the harm to your client [Mr. Schrems]?

 

Schrems: The harm is the breach to his right to privacy.

 

Judge: But do you have any evidence that this happened re your client’s data?

 

Schrems: No, but there is no need in case law flowing from the primary breach to prove an individual breach.

 

Judge: Is the right to privacy absolute or not?

 

Schrems: No right is absolute except perhaps that against torture, but there is no objective reason for access of the data in US law.

 

Judge: A question for the Commission, assuming that mass surveillance took place, might there be an overriding reason for it that would mean that it was still adequately protected?

 

Commission: Over-broad use of the national security exception would damage adequacy.

 

There followed some brief replies from the main parties. Mr. Herwig Hoffman for Mr. Schrems pointed out that the Commission has repeatedly stated that it cannot now state EU citizens’ data is adequately protected. Private companies are not bound by the Safe Harbour principles, where they clash with any US domestic law. In order to justify itself, the Commission has said here that the Decision does not need to comply with Art 8 of the Charter. Independence of the national DPA contains an obligation to uphold individual rights. Article 3 of the Decision purports to fetter this independence. Striking down this Safe Harbour agreement will only affect a couple of thousand of companies, who have signed up to it. It will simply place all US companies in the same position as non-Safe Harbour companies have been up until now.

 

Mr. McDermott for the Data Protection Commissioner said that Mr. Schrems has not shown that he personally has been harmed in any way. That is hardly surprising, as the NSA doesn’t care about accessing the essays of an Austrian Law Student. The Court could take advantage of the fact that Mr. Schrems is not being harmed to allow the Commission some time to complete negotiations with the US. The solution is for the walls of Safe Harbour to be built higher, not to allow the harbour to be dismantled brick by brick by individual national authorities.

 

Mr. Crehan for DRI noted that Article 3 provides only for investigations into compliance with the Safe Harbour principles. These principles are such that even if they are complied with, this does not respect fundamental rights.

 

The Commission, concluding, stated that if the Commission can find adequacy, it can find adequacy in a conditional way also. Article 3 does not require too narrow a reading and if they need to, national DPAs can always use their authority under the Charter to read it as widely as they require to act in individual cases.

 

However, this independence does not mean that the Data Protection Authorities are not bound by the law and so they must accept the adequacy Decision. A harmonised approach is necessary to ensure that different member states may not make different findings about the US.

 

Case concluded. Advocate General's Opinion on 24th June.

 

Simon McGarr will present on aspects of this case in a talk titled "Regulation, Litigation and the rise of Fundamental Rights" at the forthcoming Digital Rights Europe conference, 15 April in Dublin.