Francesca Giannoni-Crystal, The rationale of Advocate General Bot’s Opinion in Schrems: why the Safe Harbor Decision is invalid

On September 23, Advocate General Yves Bot at the European Court of Justice (“AG”) released his Opinion in C-362/14 (Maximilian Schrems v. Data Protection Commissioner). Waiting for the decision of the European Court of Justice – expected on October 6 – and keeping in mind that the Court follows the Advocate General’s opinions 80% of times (even if the situations is much more nuanced than a percentage can express – see How often does the ECJ follow Advocates General? Or should that be CJEU?), let’s see the legal reasoning behind the famous AG’s Opinion.

On June 18, 2014, the Irish High Court referred to the EU Court of Justice a number of questions concerning the application of the Safe Harbour principles regarding cross-border transfer of data, the key issue being whether European national authorities are “absolutely bound” by the EU Commission’s evaluation of adequacy (Safe Harbour), or whether they could still conduct their own investigations to determine if in the third country personal data are adequately protected. In short, the AG has opined that national authorities are not and that the Commission’s Decision of adequacy 2000/250 (Safe Harbour) in invalid.

Let’s make a step backward and understand what we are talking about. Pursuant to Article 25(1) of Directive 95/46/EC (Data Protection Directive), the transfer of data to a third country may take place only if the third country ensures an adequate level of protection of such data. Article 25(6) allows the Commission to find (and to enter a decision to that effect) that a third country ensures an adequate level of protection by reason of its domestic law or the international commitments, so allowing the transfer to this third country. The Commission did issue a decision of that sort relating to United States (Decision 2000/520/EC of 26 July 2000 – here), so providing a legal basis for the transfer of personal data from the EU to the US provided that the US recipient adheres to the Safe Harbour principles. Read more on the Safe Harbour here.

In 2013, Mr. Schrems, an Austrian data protection activist, sued the Irish Data Protection Commissioner after the latter refused to investigate his complaint (lodged on 25 June 2013) that the transfer of data from Facebook Ireland to its parent company in the United States was to a country that did not offer the same level of data protection as the EU. Schrem’s allegation was that after Edward Snowden’s revelation concerning NSA’s mass surveillance (PRISM program), it was clear that the law and practices of the US offered no real protection of the data kept in the United States against mass surveillance. The Commissioner felt to be absolutely bound by the adequacy evaluation of Decision 2000/520. Schrems sued the Commissioner. See more in our blog here. The High Court stayed the proceeding and asked the European Court of Justice (ECJ) to provide a preliminary ruling on the following questions:

Whether in the course of determining a complaint which has been made to [the Commissioner] that personal data is being transferred to another third country … the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, [the Commissioner] is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?

Or, alternatively, may and/or must the [Commissioner] conduct his or her own investigation of the matter in the light of factual developments in the meantime since [Decision 2000/520] was first published?’

The ECJ heard oral arguments last March.

Last week the Advocate General issued his nonbinding Opinion. It is not difficult to see that the real question is whether the Safe Harbour should still stand.

In the Advocate General’s opinion:

 the existence of a decision adopted by the Commission on the basis of Article 25(6) of Directive 95/46 cannot eliminate or even reduce the national supervisory authorities’ powers under Article 28 of that directive. Contrary to the Commission’s contention, if the national supervisory authorities receive individual complaints, that does not in my view prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases.

 In his opinion, independence of the national supervisory authorities is key to their role of guardians of the fundamental right of privacy of European citizens; their “powers of intervention must remain intact even when the Commission has adopted a decision on the basis of Article 25(6) of Directive 95/46” (as in the case of the Safe Harbour Decision). If the national supervisory authorities were absolutely bound by a Commission’s decision, then their independence would be limited, which cannot be. Also, the AG noted, Chapter VI of the Directive (role national supervision authorities) is not hierarchically subordinate to Chapter IV of Directive on the transfer of personal data (the Chapter where Article 25 is).

Not only the powers of investigation of the national authorities are unfettered (and their assessment of “level of protection afforded by a third country” is done at the light of a “range of circumstances, both factual and legal), but if at the completion of its investigations, “a national supervisory authority considers that the contested transfer of data undermines the protection which citizens of the Union must enjoy with regard to the processing of their data, it has the power to suspend the transfer of data in question, irrespective of the general assessment made by the Commission in its decision.”

In other words, the finding that the third country offers an adequate level of protection is not an exclusive power of the Commission, it is “a shared competence” of the Commission and the national supervisory authorities: by its Decision, the Commission does not oust the national supervisory authorities of jurisdictions.

Which is the role of the Commission’s Decision, then? The Commission’s Decision “play[s] an important role in ensuring uniformity” and is good until its finding of adequacy is called into question, as it is the case here.

While an “adequacy decision (has the effect of authorizing) … the transfer of personal data to the third country concerned”, that does not mean that “citizens of the Union can no longer submit requests to the supervisory authorities” and that the national supervisory authorities have lost the power to impose a temporary or definitive ban on the processing of personal data.

The case law of the ECJ has already clarified – he states – that the Data Protection Directive provisions must be interpreted in order to promote the fundamental right of privacy, as enshrined in Article 7 and 8 of Charter of fundamental Rights of European Union. See, e.g., Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González.

The AG questions the validity of the Decision 2000/520 itself. It would not be the first time – he remarks — that the Court declares the invalidity of an act that it was called to interpret (see e.g.,  Strehl (62/76, EU:C:1977:18,; Roquette Frères; (145/79, EU:C:1980:234,); and Schutzverband der Spirituosen-Industrie (C‑457/05, EU:C:2007:576)

He lists the factors that the Court should consider to assess the invalidity of the Decision.

First, he notes how the assessment of validity is not static but must “necessarily evolve according to the factual and legal context prevailing in the third country.” If the Commission has maintained its Decision for 15 years, it must mean that it still finds the level of protection of the US adequate. However, he says, it is appropriate to evaluate “the current factual and legal context” including “new circumstances”.

Second, he highlights that the level of protection that Article 25 requires to allow the transfer is “high” – the Directive does not allow to compromise on the level of protection but only allows the transfer to a country that offered an “essentially equivalent” level of protection, “even though the manner in which that protection is implemented may differ from that generally encountered within the European Union.” The maintenance of that high level of protection is a condition for the exercise of the power that Article 25 grants the Commission.

The United States, in the opinion of AG, do not grant that high level of privacy protection:

 First, personal data transferred by undertakings such as Facebook Ireland to their parent company established in the United States is then capable of being accessed by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance and interception of such data. Indeed, in the wake of Edward Snowden’s revelations, the evidence now available would admit of no other realistic conclusion.  Second, citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other United States security agencies. …

 [A]ll companies involved in the PRISM programme, which grant access to United States authorities to data stored and processed in the United States, appear to be certified under the safe harbour scheme. According to the Commission, this has made the safe harbour scheme one of the conduits through which access is given to United States intelligence authorities to the collecting of personal data initially processed in the European Union. …

 It follows from these factors that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection.

 Those findings of fact demonstrate, in my view, that Decision 2000/520 does not contain sufficient guarantees. Owing to that lack of guarantees, Decision 2000/520 has been implemented in a manner that does not satisfy the requirements of the Charter or of Directive 95/46.”

 Third, the breach of European citizens’ right of privacy that the transfer allows is worsened by the circumstance that “in the United States citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data.”

Fourth, the AG notes that the point is not that Facebook is breaching the law (“The allegations relied on in the context of the present case do not amount to a breach by Facebook of the safe harbour principles. If a certified undertaking, such as Facebook USA, gives the United States authorities access to the data transferred to it from a Member State, it may be considered that it does so in order to comply with United States legislation”). The point is that the Safe Harbour allows for derogations and these derogations had been interpreted too broadly by the US.

The Safe Harbour allows for derogations of the Scheme:

 (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation”.

The AG notes how “the ‘legitimate interests’ referred to in that provision are not defined” and that the “derogation is contrary to Articles 7, 8 and 52(1) of the Charter since it does not pursue an objective of general interest defined with sufficient precision.”

Indeed, the AG finds “it extremely doubtful that the limitations at issue in the present case may be regarded as respecting the essence of Articles 7 and 8 of the Charter.”

Fifth, the AG opines that the interference that the Safe Harbour allows is not justified (and here The AG performs a strict scrutiny analysis very similar to the analysis that the US Supreme Court performs when it analyzes the constitutionality of laws that infringe on fundamental rights or involve suspect classification).

Sixth, while already based on the vagueness of derogation, Decision 2000/520 should be consider invalid, there is more on proportionality of the interference to the right of privacy:

 Such an interference must be an appropriate means of attaining the objective pursued by the EU measure at issue and be necessary for the purpose of attaining that objective.

 ‘[s]o far as concerns the right to respect for private life, the protection of that fundamental right requires, according to the Court’s settled case-law …, that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary’. (internal quotation marks omitted).

 Here “the implementation of those limitations is not confined to what is strictly necessary to achieve the objectives referred to.” In particular, he opined:

I note, in that regard, that the access which the United States intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued.

Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.

 Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.

 Seventh, the AG also notes how in the US there is nothing comparable to the EU national supervising authorities:

the private dispute resolution mechanisms and the FTC, owing to its role limited to commercial disputes, are not means of challenging access by the United States intelligence services to personal data transferred from the European Union.

 Eighth, in light of the abuse and absence of redress for EU citizens, the Commission (which has recognized that “[t]he reach of these surveillance programmes, combined with the unequal treatment of EU citizens, brings into question the level of protection afforded by the Safe Harbour arrangement”) should have suspended the Safe Harbour (“The obligation owed by the Commission is to suspend the application of a decision which it has adopted on the basis of Article 25(6) of that directive in the case of proven shortcomings on the part of the third country concerned, while it conducts negotiations with that country in order to put an end to those shortcomings”). Instead the Commission only entered “into negotiations with the United States in order to reform the safe harbour scheme”.

In AG’s view, Decision 2000/520 “must therefore be declared invalid since, owing to the breaches of fundamental rights described above, the safe harbour scheme which it establishes cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme.”

In conclusion, the Advocate General “propose[s] that the Court should answer the questions referred by the High Court as follows:

 Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.

 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.

 For more information, Francesca Giannoni-Crystal