On Tuesday, Vice-President Andrus Ansip and Commissioner Vera Jourová announced that the EU Commission had approved a political agreement on what will henceforth be known as the “EU-US Privacy Shield.” Over the coming weeks they will have to draft a fresh EU Commission adequacy decision to replace the previous “Safe Harbor” decision, which the Court of Justice of the European Union found invalid in Schrems. There is already speculation that the validity of this new decision will itself be challenged in the CJEU; as much is clear from discussions in the European Parliament the night before. So Ansip and Jourová will need to draft as robust a decision as they can, if that decision is to withstand review by the CJEU.
In Schrems, the CJEU held that an EU Commission adequacy decision must “ … find, duly stating reasons, that [the U.S.] in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” Such a finding was missing from the Safe Harbor decision, which led the CJEU to find it invalid. The CJEU found that the Safe Harbor decision “lacked sufficient findings regarding the measures by which the United States ensures an adequate level of protection” and laid down that “national security, public interest, or law enforcement requirements” had primacy over the Safe Harbor principles.
Furthermore, the Safe Harbor decision did not contain “any finding regarding … rules adopted … to limit any interference with the fundamental rights of the persons whose data is transferred … ” nor did it “refer to the existence of effective legal protection against interference.” All of these elements missing from the Safe Harbor decision will have to be present in the EU-U.S. Privacy Shield decision if the new decision is to withstand review by the CJEU.
So there is some clarity about what an EU Commission adequacy secision should contain, but much else remains unclear. Defects in the Safe Harbor decision itself meant that the CJEU did not consider the content of the Safe Harbor principles themselves. The CJEU did explain that the protections provided by such an EU-U.S. agreement do not have to be identical to those provided by EU law, but must be “equivalent” in effect. The EU Commission’s discretion when deciding whether such protections are adequate will be “reduced,” as it will have to strictly apply the requirements of EU privacy and data protection law.
But we do not know exactly what the CJEU thinks this may mean in practice; nor do we know whether the CJEU would really want to assess the adequacy or inadequacy of U.S. law. The president of the CJEU reassured The Wall Street Journal that his court was not “ … judging the U.S. system …” shortly after the Schrems judgement issued. And it is true that when the CJEU stated in Schrems that “… legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life … ” that court was not judging U.S. law, but simply reiterating its judgment in Digital Rights Ireland. It's also unclear clear how or when a new EU Commission adequacy decision will come before the CJEU.
The Article 29 Working Party, which is made up of the EU’s data protection authorities, has identified four essential guarantees for intelligence activities:
- Processing should be based on clear, precise and accessible rules;
- The objectives of the processing should be necessary and proportionate;
- There should be independent oversight; and,
- Effective remedies.
The Article 29 Working Party has asked that the Commission provide it with all relevant documentation by the end of this month. It will then hold an extraordinary plenary meeting to consider all issues relating to personal data transfers to the U.S.
The outcome of that meeting remains to be seen. Every EU DPA has the power to prohibit transfers from its country to outside the European Economic Area, of which the EU is a part. But as the CJEU made clear in Schrems, an adequacy decision adopted by the EU Commission is binding upon EU members states and their DPAs until revoked or declared invalid by the CJEU. This does not exclude DPAs from oversight of such transfers or considering complaints from subjects about such transfers. If a DPA forms the view that such a complaint is well-founded, then that DPA will have to ask its national courts “ … to make a reference (to the CJEU) for a preliminary ruling for the purpose of examination of the decision’s validity.”
Such a reference will not be heard instantly. And there is a lot that can happen while such a reference is winding its way through national and EU legal systems. The GDPR may well come into effect before such a reference could come before the CJEU, which will change the EU law on international transfers of personal data. Alternatively the EU-U.S. Privacy Shield may itself change. One of the criticisms that the CJEU had of the original Safe Harbor decision was that it did not provide for the EU Commission to undertake periodic reviews of its validity. It seems likely that such an annual review mechanism will be part of the EU-U.S. Privacy Shield. This may allow the EU Commission to seek the rectification of any apparent flaws, prior to their review by the CJEU.
Finally, the CJEU is not a common law court and is not bound by the doctrine of precedent. The CJEU has previously changed its approach to surveillance issues in a manner that the English Courts found both extraordinary and striking; it is not beyond the bounds of possibility that the CJEU will change its approach again. The CJEU is “the engine of European integration” after all.
Top image courtesy of European Commission.