On October 6, 2015, the European Court of Justice (ECJ) issued its decision in C-362/14 (Maximilian Schrems v. Data Protection Commissioner). As suggested by the Advocate General Yves Bot (“AG”) on September 23, 2015, (see here), the ECJ held a Commission’s decision of adequacy pursuant to Article 25(6)
does not prevent a supervisory authority of a Member State, … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
In addition and foremost, the ECJ found that “Decision 2000/520/EC, is invalid.”
First, the Court highlights how no provision of Directive 95/46/EC prevents oversight by the national supervisory authorities.
Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.
The ECJ notes how the Commission found that US public authorities can
access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Schrems at 90.
Also, the Commission found that “the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased. Schrems at 90.
According to the ECJ,
legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (Schrems at 94)
Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter. Schrems at 95
The Court declared the Safe Harbour Decision invalid. The Irish supervisory authority will have to
examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data”.
For more information, Francesca Giannoni-Crystal