On 23 September 2015, Advocate General Yves Bot delivered his opinion in Schrems v. Data Protection Commissioner (Case C-362/14), one of the most significant data protection cases ever to come before the Court of Justice of the European Union (CJEU). In his opinion, AG Bot found that the national data protection authorities (DPAs) must be able to investigate the adequacy of data transfers under the EU-US Safe Harbor arrangement, and that the Safe Harbor should be invalidated since it does not provide “adequate protection” under Article 25 of EU Directive 95/46. While there is no doubt that the Safe Harbor has some important deficiencies and has long needed an overhaul, I find that some of the AG’s conclusions are based on questionable assumptions, and hope that the Court will reconsider them when it delivers its judgment.
The case arose from proceedings before the Irish courts brought by Max Schrems, an Austrian PhD student and privacy activist, in which he challenged the legality of a decision by the Irish Data Protection Commissioner, the respondent, not to investigate claims relating to data transfers by Facebook under the Safe Harbor. The case eventually wound up in the High Court of Ireland, which on 18 June 2014 referred two questions to the CJEU, asking whether the DPAs are bound by Commission decision 2000/520/EC finding that the Safe Harbor provides adequate protection under the Directive, or whether they may conduct their own investigations into its adequacy in light of Articles 7, 8, and 47 of the EU Charter of Fundamental Rights.
In his opinion, AG Bot finds that Article 3(1) of the Safe Harbor decision strictly circumscribes the powers of the DPAs to suspend data transfers (para. 112), and is “so narrow that it is difficult to put into practice” (para. 115). However, on closer inspection the conditions contained in Article 3(1) would not seem difficult to meet if a DPA strongly believes that the Snowden revelations require the suspension of data flows (i.e., determining that “there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond”). Nor does Article 3 restrict the ability of the DPAs to conduct investigations regarding the Safe Harbor as the AG claims (para. 117); indeed, that provision states that it does not affect any powers of DPAs arising under the Directive other than Article 25.
Commission adequacy decisions are designed to produce a coordinated EU approach to the regulation of international data transfers. The CJEU has held in both Lindqvist (Case C-101/01, para. 96) and ASNEF (Joined Cases C-468/10 and C-469/10, para. 29) that Directive 95/46 “amounts to harmonization which is generally complete”. It has also recently held that differing views of fundamental rights under Member State law must not be allowed to undermine the effectiveness of EU law (Cruciano Siragusa, Case C-206/13, para. 32, and Melloni, Case C-399/11, para. 59). The DPAs have widely differing views regarding transatlantic data flows (compare, for example, the liberal views of the Irish and UK DPAs with the more restrictive ones of the DPAs in the German Länder), and allowing them to reach individual interpretations of Commission adequacy decisions would result in fragmentation that could undermine the effectiveness of the right to data protection in EU law.
Former European Data Protection Supervisor Peter Hustinx has written that the standards for international data transfers in EU data protection law are “based on a reasonable degree of pragmatism in order to allow interaction with other parts of the world”. However, AG Bot interprets the Directive’s reference to an “adequate level of protection” (Article 25 of the Directive) to mean “a level of protection that is essentially equivalent to that afforded by the directive” (para. 141 of his opinion), which leaves little room for a pragmatic interaction with foreign legal systems. “Equivalent protection” is the standard for the approximation of data protection laws among the EU Member States (see Recital 9 of the Directive), but the formulation of “adequate protection” in Article 25 was specifically preferred over “equivalent protection” by the EU legislator when the Directive was drafted in order to provide added flexibility with regard to third countries (see Dammann/Simitis, EG-Datenschutzrichtlinie, p. 273).
The AG also seems not to see the irony in criticizing the Safe Harbor for failing to create a DPA-like independent body with the authority to monitor US intelligence agencies (para. 207) when the DPAs themselves do not have such authority with regard to the intelligence agencies in their own Member States (see Article 3(2) of the Directive). Thus, the opinion holds third countries to a higher standard than that required of the Member States under EU law.
The AG also makes unrealistic assumptions concerning the power of the DPAs to protect EU data from US intelligence surveillance (see paras. 207-210). It is true that some other data transfer mechanisms (such as EU standard contractual clauses or binding corporate rules) grant supervisory powers to the DPAs (e.g. audit rights) that are lacking under the Safe Harbor. However, as I have written in an earlier post, the protections against data access by the intelligence agencies contained in those other mechanisms are similar to those in the Safe Harbor, and the enforcement powers of the DPAs end anyway at their national borders, so it is an illusion to expect that supervision by the DPAs can provide effective protection by itself.
Since the criticisms the AG makes of the Safe Harbor concerning access to data by the intelligence services could also be made of these other data transfer mechanisms, their validity would seem to be thrown into question as well. The logical consequence of the opinion would thus seem to be that Europeans should only have access to data stored in Europe and a limited possibility to communicate with the rest of the world, which would interfere with other important fundamental rights under the Charter such as the right to freedom of expression and to communicate across borders (Article 11).
Invalidating the Safe Harbor would be counterproductive in terms of spreading the influence of EU data protection law in third countries. Bradford has written of the “Brussels effect” that has allowed the EU to export its regulatory approach to the result of the world. Anyone working in the practical side of data protection during the last 15 years knows that the Safe Harbor is a good example of this, since it has caused many US companies to adopt protections based on EU data protection law.
The AG makes some valid criticisms of the Safe Harbor, which would support demands that it be strengthened and that intelligence access to data be restricted. However, invalidating it completely would send a signal to third countries in other regions that it is futile for them to even attempt to adapt their law to EU standards since they have no chance of satisfying them. And given that only six adequacy decisions (five minus the Safe Harbor) have been issued for countries outside the European region in the 17 years since the Directive came into force, who could blame them?
The vision of an EU approach to data protection that is open to interfaces with other legal systems is not one of weakness or watered-down standards, but of strength, since it is only by remaining engaged and open to cooperation with other privacy systems that EU data protection law can survive in a pluralistic world and exert its influence in third countries. Unfortunately, as its 2014 Google Spain judgment illustrated, the Court apparently does not see any need to view data protection law in the broader international context of the Internet and global communications. It is hoped that in its judgment in the Schrems case—which will be delivered on 6 October–it will go beyond AG Bot’s opinion to consider what is ultimately at stake for other fundamental rights and the place of EU data protection law in a globalized world.
Well, the court doesn’t like the safe harbour, because it delegates the enforcement of the fundamental right to data protection to a foreign government, which has a different and possibly more restricted understanding of this very fundamental right, especially when it concerns foreign citizens (no equality of treatment – by far). Wasn’t this predictable?
Safe harbour always been criticized because of its ambiguity – how could a unilateral decision combined with a voluntary programme provide constitutional-like guarantees, especially is there is no commitment of the US side to equal treatment?
EU law provides for other harmonised ways to legitimate international flaws of data, such as standard contractual clauses and binding corporate rules. These tools do not raise any legal order issue. Large and small US bluechip companies (e.g. Microsoft, GE and many smaller players) are using those tools without any problem, and at low cost. So isn’t it a lot of lobbying hype to say that the end of safe harbour would be a problem?
This piece is simply brilliant. Let’s hope the ECJ reaches the correct decision tomorrow morning…