October 6, the Court of Justice of the European Union (CJEU) delivered its judgment in Schrems, holding as invalid the Safe Harbor decision of the European Commission. That decision had enabled the easy flow of European personal data across the Atlantic and into the U.S. It is unsurprising that immediate discussion focused upon that invalidity. But the Commission and the U.S. government may ultimately well enter into a new Safe Harbor agreement; indeed, the Commission has already indicated that such an agreement may be on its way. Such an agreement may, or may not, satisfy the CJEU—it would be surprising if whatever the EU and U.S. agree upon did not find its way back to Luxembourg, where the CJEU sits, before too long.
But Schrems may remain significant even after that Safe Harbor issue is resolved. In particular, Schrems clarifies our understanding of how the EU’s data protection authorities (DPAs) should interact with EU institutions such as the Commission and CJEU. The reaction of DPAs to Schrems is also significant, not least because those reactions may impact upon ongoing negotiations on Europe’s proposed General Data Protection Regulation.
What Does Schrems Say About DPAs?
In Schrems, the CJEU notes that DPAs are established to monitor “with complete independence, compliance with EU rules on the protection of individuals with regard to the processing of … data.” What is intriguing about this discussion is that the CJEU seems to view DPAs as having a broader role than the simple protection of privacy. As the CJEU states, the independence of DPAs “was established in order to strengthen the protection of individuals and bodies affected by the decisions of those authorities.” The court pointed out that the independence of DPAs is “an essential component of the protection of individuals with regard to the processing of personal data” but then goes onto reiterate a view expressed in previous judgments that DPAs “must … ensure a fair balance between … observance of the fundamental right to privacy and … interests requiring free movement of personal data.”
This is no more than a repetition of the obligation imposed by Article 16(2) of the Treaty on the Functioning of the European Union. But the treaty imposes that obligation directly upon the EU’s legislature, not its DPAs. The CJEU’s reiteration that this obligation applies to DPAs as well as the EU legislature is intriguing.
Having considered the independent roles of DPAs, the CJEU went onto consider how they should apply EU law. The CJEU recalled that its case-law had long established that the EU “is a union based on the rule of law in which all acts of its institutions are subject to review of their compatibility with … the treaties, general principles of law and fundamental rights.” But it went onto make clear that it “alone has jurisdiction to declare that an EU act, such as a commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid …”
This repeats the view expressed earlier in the judgment that “until such time as the Commission decision is declared invalid by the Court, the Member States and … independent supervisory authorities … cannot adopt measures contrary to that decision.”
The CJEU made it explicitly clear that DPAs are bound by decisions of the Commission until that court finds them invalid. DPAs have no jurisdiction to “look-behind” the validity of such decisions, though they can of course consider complaints about the data transfers that such decisions enable.
What Has the Reaction of DPAs Been?
The reaction of the EU’s DPAs has been varied. The Article 29 Working Party established by Directive 95/46 considers “that it is absolutely essential to have a robust, collective and common position on the implementation of the judgment." It has issued a statement that it is continuing to analyse the judgment in Schrems, indicating that Standard Contractual Clauses and Binding Corporate Rules can still be used. However that statement concludes with the warning that: “If by the end of January 2016, no appropriate solution is found with the U.S. authorities … EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Some individual DPAs have issued their own guidance. The UK Information Commissioner's Office has reiterated its simple and sensible advice: “Don’t Panic." German DPAs have issued a position paper. These various statements from EU DPAs must be considered in the context of what the CJEU said about their role in Schrems. The CJEU made clear that decisions of the Commission are lawful until such time as it—and nobody else—has found them to be unlawful: “Measures of the EU institutions are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality."
DPAs must investigate “with all due diligence” complaints from data subjects concerned about the transfer of their data outside the EU. If the DPA to which such a complaint is made concludes that it is “well founded,” then that DPA must “engage in legal proceedings” and place its conclusions “… before the national courts in order for them … to make a reference (to the CJEU) for a preliminary ruling."
If you want to comment on this post, you need to login.