Europe’s Data Protection Authorities are required to be independent. Both Article 8(3) of the EU’s Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union require that compliance with the EU’s data protection rules be subject to control by independent supervisory authorities. The EU is currently endeavouring to reform these data protection rules, but for now they are set out in the Data Protection Directive, which dates back to 1995. The purpose of that directive was to ensure that individual member states of the EU did not adopt individual data protection rules which might interfere with the EU’s single market, which allows member states of the EU to trade freely with one another.
Advocate General Yves Bot is of the opinion that "as guardians of fundamental rights, the national supervisory authorities must be able to investigate, with complete independence, the complaints submitted to them, in the higher interest of the protection of individuals with regard to the processing of personal data.”
Of course, member states of the EU do not just trade with themselves; they also trade with states outside the EU such as the U.S. And so the Data Protection Directive provides that the EU Commission may find “that a third country ensures an adequate level of protection” that allows for data transfer to that state. The EU Commission issued such a finding in relation to the U.S. in 2000, allowing U.S. companies that comply with the so-called “Safe Harbor Principles” to freely process the data of EU data subjects. This finding, Decision 2000/520, was the subject of a complaint made by Max Schrems, an Austrian, to the Irish Office of the Data Protection Commissioner (DPC) in June 2013. Schrems complained that “the law and practices of the United States offer no real protection of the data kept in the United States against State surveillance” (paragraph 25). This complaint followed from the Snowden revelations, particularly those about the U.S. National Security Agency. His complaint was rejected by the Irish DPC on the basis that “Any question relating to the adequacy of the protection of that data in the United States had to be settled in accordance with … Decision (2000/520) which prevented him from examining the problem raised by the complaint” (paragraph 27).
That rejection was challenged in the Irish High Court, which referred two questions to the Court of Justice of the European Union (CJEU):
- Whether in the course of determining a complaint which has been made to [the Commissioner] that personal data is being transferred to another third country (in this case, the U.S.) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, (the Commissioner) is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of (the Charter), the provisions of Article 25(6) of Directive [95/46] notwithstanding?
- Or, alternatively, may and/or must the [Commissioner] conduct his or her own investigation of the matter in the light of factual developments in the meantime since (Decision 2000/520) was first published?’
This case, Schrems v Data Protection Commissioner (C-362/14) was heard by the CJEU in May of this year; the opinion of Advocate General Bot in the case of Schrems v Data Protection Commissioner was issued today, on 23 September 2015. This is not a judgment of the CJEU itself. Rather, the function of an advocate general is to make “reasoned submissions” on cases before the CJEU, “acting with complete impartiality and independence.” These submissions may then inform the court when giving judgment at some future, yet to be determined, date.
The first part of Bot’s opinion is a straightforward consideration of what he describes as “the central issue in the … case,” namely, “whether the Commission’s assessment as to the adequacy of the level of protection, contained in Decision 2000/520, is absolutely binding on the national data protection authority and prevents it from investigating allegations challenging that finding” (paragraph 57).
But Bot goes further than simply suggesting answers to the questions directly asked of the court. Having found that the Irish DPC should have investigated the complaint made to him, the advocate general appears to preempt such an investigation by giving his own assessment that Decision 2000/520 is invalid.
Data protection is now one of the rights set out in the EU’s Charter of Fundamental Rights. Bot is of the opinion that “as guardians of fundamental rights, the national supervisory authorities must be able to investigate, with complete independence, the complaints submitted to them, in the higher interest of the protection of individuals with regard to the processing of personal data” (paragraph 73). He continues that their powers to investigate complaints “with complete independence … cannot therefore be limited by the powers which the EU legislature has conferred on the Commission … to find that the level of protection ensured by a third country is adequate” (Paragraph 79). And Bot considers that "in the light of the essential role played by the national supervisory authorities in the system put in place by Directive 95/46, they must have the power to order the suspension of the transfer of data where there is a proven breach or a risk of a breach of fundamental rights” (paragraph 93).
This led Bot to conclude that the EU’s various data protection rules "must be interpreted as meaning that the existence of a decision adopted by the European Commission … does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data” (paragraph 237).
But Bot goes further than simply suggesting answers to the questions directly asked of the court. Having found that the Irish DPC should have investigated the complaint made to him, the advocate general appears to preempt such an investigation by giving his own assessment that Decision 2000/520 is invalid. In doing so, Bot achieves the quite remarkable feat of making the CJEU’s forthcoming judgment in Schrems v Data Protection Commissioner even more interesting than it was already. The questions asked of the CJEU are quite specific to two EU laws: Directive 95/46 and Commission Decision 2000/520. Both laws are under review at present and, hopefully, may shortly be replaced. By going on to provide his own assessment of the complaint made by Schrems, Bot has effectively placed a more fundamental question before the CJEU: What is the role of data protection supervisors vis-à-vis the courts? Should the courts preempt a data protection supervisor by providing their own assessments of a complaint or should the courts allow supervisors to first investigate a complaint before considering whether those investigations were properly conducted? Bot himself exhibits some ambiguity on this point, saying as he does that “to deprive the national supervisory authority of its investigative powers in circumstances such as those at issue in the present case would be contrary not only to the principle of independence but also to the objective of Directive 95/46…” (paragraph 95). Some may feel that this suggests that an investigation by the Irish DPC is required before Decision 2000/520 is held invalid; others—including, it seems, Bot—may not. It will be interesting to know what the CJEU thinks: whether its judgment will be limited to the question of whether the Irish DPC should have conducted an investigation or whether the CJEU goes on to consider what the outcome of such an investigation might be.