On March 24, the European Court of Justice (ECJ) examined a key question concerning the future of transborder data flows between the U.S. and Europe. The outcome of this case could have wide-ranging ramifications for anyone who transfers data from the EU to the U.S. through the Safe Harbor agreement.
The question posed to the ECJ arose out of the Office of the Irish Data Protection Commissioner’s (DPC) refusal to investigate Austrian student Max Schrems’ complaint to the DPC. Schrems filed his complaint after Edward Snowden leaked U.S. National Security Agency (NSA) documents that depicted U.S.-based Facebook, Inc., as one of several Internet firms forwarding its user data to the NSA for reasons of espionage, national security and other matters. Schrems’ complaint was regarding the transfer of his personal data by Facebook Ireland to Facebook, Inc., where his data could be subject to the mass and indiscriminate general surveillance described in the NSA documents. The DPC's refusal to investigate the matter further was based on the opinion that it was bound by the EU community finding that the Safe Harbor agreement offers adequate protection under EU data protection law.
Questions Referred to the ECJ
After Schrems’ arguments were rejected by the Irish DPC, Schrems filed for judicial review against the Irish DPC’s finding with the Irish High Court. Upon review, the Irish High Court asked the ECJ to determine two key questions:
- Whether a data protection commissioner, who is in charge of enforcing data protection legislation, is bound by a community finding that the Safe Harbor agreement provides adequate protection in the face of a complaint alleging it does not,
- Or alternatively, may and/or must the commissioner conduct an independent investigation of the matter in light of the factual developments since the Safe Harbor agreement was first published?
ECJ Oral Hearing
The ECJ held its oral hearing on March 24, where Schrems had three main arguments. He argued that mass surveillance constitutes a greater breach than the mere retention of metadata for a short period, which was found invalid in the ECJ case Digital Rights Ireland; that the Safe Harbor Agreement should be invalidated, and that there is an obligation on national DPAs to protect the fundamental right to privacy.
Member states and key EU bodies also intervened to voice their opinions on such an important case. Ireland agreed with its DPC and argued that it is for the European community as a whole to make a decision on what constitutes adequate protection under the Directive, not individual DPAs. The UK argued that DPAs must comply with adequacy decisions adopted by the European community. However, the UK explained that this does not prevent DPAs from determining whether a specific transfer fails to offer adequate protection, even if it is generally covered by an adequacy decision.
Poland, Belgium, Italy and Slovenia argued that the presumption of adequacy must be able to be rebutted and that the powers bestowed on the DPAs through the Directive trump any provisions of the Safe Harbor agreement in the case of incompatibility. Austria stood behind Schrems and outright argued that the Safe Harbor agreement needed to be repealed.
Counsel for the European Parliament argued that DPAs have the power to assess compatibility with fundamental rights in individual instances. Furthermore, Parliament stressed that the U.S. does not offer adequate data protection—noting “systematic inefficiencies”—and argued that the Safe Harbor agreement should be suspended. Alternatively, counsel for the European Commission argued that DPAs have no power to suspend the Safe Harbor agreement. The commission’s counsel referenced the proposed data protection regulation as the best tool to address Safe Harbor concerns.
Questioning by the Court
Questioning by the advocate general and the judge rapporteur surrounded the adequacy of the Safe Harbor framework itself. The majority of the questioning was directed at the counsel for the European Commission. The advocate general wanted to know how the commission ensures adequate protection for data subjects when counsel for the commission admitted during the oral proceedings that he cannot confirm whether there are adequate protections set in place by the Safe Harbor agreement to uphold the fundamental right to data protection. In response, the commission referred to its renegotiations on the Safe Harbor agreement as the best way to combat any issues with it. The advocate general then asked what an individual Facebook user like Schrems might do while awaiting the renegotiations on the Safe Harbor agreement. The European Commission responded that concerned users should close their Facebook accounts and revoke their consent.
Why Is This Case Important?
The ECJ may invalidate the Safe Harbor agreement. Ultimately, the ECJ can rule in one of three ways.
First, the court can agree with the Irish DPC and rule that DPAs are bound by the Safe Harbor agreement. This will leave things at the status quo.
Second, the court can rule that DPAs can conduct independent investigations into the adequacy of protection provided in particular instances. However, if the ECJ holds that a commissioner can conduct his or her own independent fact-finding investigation, then the Safe Harbor agreement is in danger. This is due to the fact that there are many countries, as voiced in this case, which are critical of the adequacy of the Safe Harbor agreement with corresponding critical DPAs. Moreover, Article 3(1) of the Safe Harbor agreement expressly allows “the competent authorities in member states to suspend data flows to an organization that has self-certified.” Therefore, the only way that the Safe Harbor agreement can continue to stand is if the ECJ rules that a commissioner is bound by the community finding that Safe Harbor agreement offers adequate protection and no independent investigation by DPAs and subsequent suspension may be done.
Third, the court can rule on the validity of the Safe Harbor agreement. The court can legally do this in two ways. First, the court can follow case precedent set out in Schwarze, in which the ECJ held that if the real purpose of the questions submitted to the court is concerned more with the validity of the community measure than with the interpretation, it is appropriate for the court to consider the validity of the measure. The question that was posed by the Irish High Court does address the effect of recent changes in EU law and surveillance technology that occurred after the Safe Harbor agreement was created. Therefore, this could be interpreted as addressing the Safe Harbor agreement’s validity as a community measure. Alternatively, the court can rule on the validity of the Safe Harbor agreement under Article 267 of the Treaty Establishing the European Economic Community. Under Article 267, if a preliminary ruling is asked on the “interpretation of a community act,” then the ECJ has the authority to rule ex officio (by right) on the validity of that act. Therefore, because the commission, Schrems and Austria have asked the court to consider the legality of the Safe Harbor agreement during the oral hearing, the court may consider these arguments and review the legality of it.
Businesses Should Explore Other Adequacy Mechanisms To Transfer Their Data Between the EU and US
With the potential invalidation of the Safe Harbor agreement, companies may be forced to enter into new arrangements regarding how they transfer data between the EU and the U.S. Important adequacy mechanisms businesses should consider adopting in the face of Safe Harbor agreement uncertainty include binding corporate rules, model clauses or individual consent from each of data subjects. Companies may want to explore these options so as to prepare themselves in advance of any ruling to ensure adequate data privacy measures are allocated.
The ECJ's advocate general will give his opinion on the case on June 24.
If you want to comment on this post, you need to login.