Brussels, 23/09/2015 (Agence Europe) - The European Commission's 2000 decision that the US provides adequate protection to the personal data of European citizens transferred there by social networks, such as Facebook, must be seen as invalid and must not prevent national authorities from suspending the transfer of these data to servers located in the US.
That is the substance of the opinion formed by Advocate General Yves Bot in the Schrems case (C-362/14, see also EUROPE 11281, 11287 and 11331), so called after the Austrian Facebook subscriber who, following the Edward Snowden revelations on the use made by the US National Security Agency (NSA) of private data on social networks without the knowledge of the persons concerned, lodged a complaint with the Irish authorities over the transfer by the Irish subsidiary of Facebook of his personal data to servers located in the United States. Schrems argued that the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the grounds, in particular, that in a decision of 26 July 2000 the Commission considered that, under the “safe harbour” scheme, the United States ensures an adequate level of protection of the personal data transferred, in line with the requirements of the data protection directive (95/46/EC). This decision formed the basis for the agreement that came to be known as the “Safe Harbour” agreement between the EU and the US, allowing the electronic transfer of the personal data of European citizens to the US. The High Court of Ireland, which was hearing the case, asked the European judges whether that Commission decision has the effect of preventing member states from investigating in the event of a challenge to the Commission decision and, where appropriate, from suspending the contested transfer of data.
In his opinion, the Advocate General suggests the Court responds to these questions in the negative. He argues that the Commission decision “cannot eliminate or even reduce the national supervisory authorities' powers under the directive on the processing of personal data”. He says that, with regard to monitoring data protection, the directive gives national authorities complete independence on investigating and banning and that national authorities must have the power to suspend the transfer of data if it is felt that the transfer undermines the protection of citizens of the EU as regards the processing of their data.
While national supervisory authorities are legally bound by the Commission decision, the Advocate General considers that such a binding effect cannot require complaints to be rejected summarily, that is to say, immediately and without any examination of their merits.
Advocate General Bot says that the Commission decision is invalid given that the Commission itself (as well as the High Court of Ireland) has found that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection. Access to the transferred data without the knowledge of the persons concerned and processing by the US intelligence services constitutes interference with the right to respect for private life and the right to protection of personal data, in the Advocate General's view. Thus, the Commission decision does not contain sufficient guarantees with regard to respect of these rights guaranteed by the directive and by the EU Charter of Fundamental Rights and so must be considered invalid. Furthermore, on finding these infringements by the American authorities, the Commission ought to have suspended the application of its decision (and, as a consequence, the data transfer provided for under Safe Harbour) even though it is currently conducting negotiations with the US in order to put an end to the shortcomings found (particularly, the Advocate General observes, as it opened these negotiations after noting the shortcomings and considering that the decision adopted in 2000 was no longer adapted to the reality of the situation).
Reaction to the opinion was not long in coming. The Commission responded laconically, restating its desire to provide solid protection to personal data and indicating that a swift conclusion could come in the negotiations begun in 2014 to strengthen the Safe Harbour agreement and restore confidence in the mechanism for the transatlantic transfer of data. The plaintiff, Max Schrems said on his website that years of hard work seemed to have paid off, and he expressed the hope that the judges would go along with the Advocate General's opinion. DIGITALEUROPE, which represents the main digital technology players globally, said it was “concerned about the potential disruption to international data flows if the Court follows today's opinion” and suggested this might also “frustrate the creation of the Digital Single Market in Europe because it would fragment Europe's approach to data flows out of the EU”. EDRi, which brings together a number of digital rights associations, welcomed the opinion as a “very important step for the right to privacy in Europe”. (Original version in French by Francesco Gariazzo)