On March 24, 2015 the Court of Justice of the European Union (CJEU) commenced proceedings in the case of Maximillian Schrems against a local Irish Data Protection Commissioner (file no. C-362/14) who refused to consider a complaint by Mr. Schrems concerning activities of the Irish branch of Facebook.
The case has been given wide media coverage since it addresses the transfer of personal data of European residents to the United States by the Facebook social networking site. It is a very hot topic in light of the scandal exposed by Edward Snowden. Snowden made public several documents created by the National Security Agency (NSA). The said documents dealt with the government program known as PRISM which purpose was to conduct surveillance of Internet users, focusing in particular, on persons using social networking sites and e-mail services. In connection with the foregoing, the High Court of Ireland referred the question to the Court of Justice for a preliminary ruling as follows:
Whether in the course of determining a complaint which has been made to an independent office [Data Protection Commissioner] holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC ) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/012), the provisions of Article 25(6) of Directive 95/46/EC notwithstanding.
Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?
To put it simply, CJEU will face a very difficult task. Its decision will provide an answer to the question whether the “Safe Harbor” provision deprives EU citizens of their rights resulting from the Charter of Fundamental Rights. Or in other words: can the Irish Data Protection Commissioner, guided by what is good for EU citizens, disregard the arrangements of the European Commission and the United States regarding the “Safe Harbor” provision?
What is the “Safe Harbor” provision?
In the course of talks between the US Trade Department and the European Commission, it was determined that the current legal circumstances in the scope of personal rights may hinder economic exchange. In order to reconcile the interests of both parties (having particular regard to the low level of personal data protection in the United States), it was decided that US entities that comply with the requirements of Directive 95/46/EC may receive a Safe Harbor provision certificate that is supposed to guarantee an adequate level of personal data protection.
In accordance with Article 25 (1) of Directive 95/46/EC, EU member states shall ensure that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to other provisions of this Directive, the third country in question ensures an adequate level of protection. The Directive additionally states that the Commission shall inform, by means of a decision, where they consider that a third country does not ensure an adequate level of protection, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations with the Commission, for the protection of private life and basic freedoms and rights of individuals.
In turn, the Charter of Fundamental Rights provides as follows:
Article 7 – Respect for private and family life
Everyone has the right of respect for his or her private and family life, home and communications.
Article 8 – Protection of personal data
- Everyone has the right to the protection of personal data concerning him or her..
- Such data must be processed fairly for a specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
Article 47 – Right to an effective remedy and to a fair trial
Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article.
Everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. Everyone shall have the possibility of being advised, defended and represented.
Legal aid shall be made available to those who lack sufficient resources in so far as such aid is necessary to ensure the effective access to justice.
The Court’s decision is bound to have a significant impact due to the political nature of the case. The Court may, for example, rule that interpreting “Safe Harbor” principles in light of the Charter of Fundamental Rights is impossible since the national personal data protection bodies are bound by decisions issued by the Commission. On the other hand, the decision may take another approach and determine that it is indeed possible to reconcile the “Safe Harbor” provision with the Charter of Fundamental Rights. This, however, poses a risk of there being different interpretations, as upheld by each of the 28 member states, and undermines the arrangements between the Commission and non-EEA countries.