The Court of Justice of the EU (CJEU) has rocked the privacy community with its response to an inquiry made last June by then-Irish High Court Judge Gerard Hogan, who referred two important questions to the CJEU. The questions were based on a case brought by Austrian student Max Schrems, who claimed in a complaint to the office of the Irish Data Protection Commissioner (DPC) that the U.S. PRISM mass surveillance program—unveiled by Edward Snowden—makes the EU-U.S. Safe Harbor program invalid. When the case was not investigated, Schrems sued in the Irish courts. Hogan referred the case to the High Court to determine:
- Whether in the course of determining a complaint which has been made to [the Commissioner] that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, [the Commissioner] is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?
- Or, alternatively, may and/or must the [Commissioner] conduct his or her own investigation of the matter in the light of factual developments in the meantime since [Decision 2000/520] was first published?’
Today, the CJEU said neither the Data Protection Directive nor the Decision 2000/520 could:
“prevent a supervisory authority of a Member State … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.”
The CJEU then went onto consider the validity of Decision 2000/520 itself. The court held that it was invalid but without seeming to preempt any investigation that the DPC might undertake. This was because the court made its decision on the basis of what appeared on the face of the Decision 2000/520. The court found that the decision did not adequately protect the fundamental rights of Europeans, and indeed failed to say “that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.” This led the CJEU to declare that Decision 2000/520 is invalid.
In undertaking her investigation, Irish DPC Helen Dixon will have all of the powers that are required by Directive 95/46. In particular, she will have the power to issue information notices and to appoint authorised officers, who may enter onto premises and inspect documents and data found therein. This investigation may be further complicated by the possible multiplication of complaints that may be made to the Irish DPC.
What happens now?
The CJEU has indicated that Decision 2000/520 is invalid; this means that it can no longer provide a basis for transfers of personal data from the EU to the U.S. Where this leaves the case of Schrems v. Data Protection Commissioner remains to be seen. At present that case stands adjourned before the Irish High Court; what happens next in that case is something that the parties will presumably wish to discuss with their lawyers.
It is possible that they will want the Irish High Court to hear arguments on some aspect of that case. If so, then, once the case is ready for hearing, it would have to return to the judicial review list and a date for hearing would have to be sought. Judge Hogan, who originally referred questions to the CJEU, has since been elevated to the Irish Court of Appeal, so it will not be possible for him to take back up the case. Instead, it will be assigned to the next available judge.
Alternatively, the parties may be able to settle the judicial review on terms, such as the original decision of the Irish DPC being set aside and the commencement of an investigation into Schrems’ complaint. Whilst Decision 2000/520 may have been found invalid, some alternative legal basis for transfers to the U.S. may then be asserted. The European Commission has already suggested a few, such as contracts or consent. If so, the DPC will have to investigate whether that alternative legal basis is adequate.
This investigation will face many challenges, not least that of trying to arrange for the amicable resolution of Schrems’ complaint against Facebook. Such amicable resolution is a requirement of Section 10 of the Irish Data Protection Act, but as is clear from the decision of the Irish High Court in Realm Communications v. DPC, if no amicable resolution is possible, then the DPC’s investigation may proceed.
In undertaking her investigation, Irish DPC Helen Dixon will have all of the powers that are required by Directive 95/46. In particular, she will have the power to issue information notices and to appoint authorised officers, who may enter onto premises and inspect documents and data found therein. This investigation may be further complicated by the possible multiplication of complaints that may be made to the Irish DPC. Some may want to ensure that their views are heard in the DPC’s investigation into Schrems’ complaint. And the Irish Courts seem to treat favourably parties who wish to be heard in relation to data protection matters.
For example, in EMI v. DPC, the High Court indicated that the submissions of EMI, the record company, should have been heard in relation to a complaint made to the DPC about Eircom, a telecommunications company (at issue was a scheme for disconnecting those engaged in illegally downloading music from the internet). And in Schrems v. DPC itself, Hogan allowed Digital Rights Ireland to join those judicial review proceedings as amicus curiae, over the objections of Schrems’ own lawyer. Of course others may seek to make their own complaints separately.
What about Weltimmo?
Yet another complication may stem from the recent judgment of Weltimmo. In that case, the CJEU held that data protection authorities in other EU member states may investigate complaints received “irrespective of the applicable law and before even knowing which national law is applicable to the processing in question.” Of course, such authorities may conclude that, having applied the criteria in Weltimmo, that the Irish DPC has jurisdiction. But if not, we may see a number of investigations taking place across the EU.
Will the law change first?
Finally, an investigation by the Irish DPC must inevitably take time, and so may be overtaken by future events. Even if the EU is able to agree on its proposed Data Protection Regulation, whatever is agreed will not enter into force for another two years or more. However, it may be possible for the Safe Harbour principles themselves to change more swiftly. It remains to be seen whether that will come about and what impact such changes may have on any DPC investigation.
If you want to comment on this post, you need to login.