Advocate General (AG) Bot delivered his awaited opinion on 23 September 2015 in the case C-362/14 Maximillian Schrems v Data Protection Commissioner. As readers might remember (see my previous post here), the Irish High Court had made a reference for a preliminary ruling back in 2014. [For background, talented Austrian Facebook user, Maximillian Schrems complained to the Irish Data Protection Commissioner alleging that his personal data, which was transferred from Facebook’s Irish subsidiary to Facebook in the US, was not adequately protected in light of mass surveillance activities by US government agencies. The Irish Data Protection Commissioner refused to deal with Schrems’ complaint and Schrems attacked the refusal of the Commissioner before the High Court.]

Importantly, the request for a preliminary ruling had been phrased as a request for interpretation of EU law and grounded on Article 267(a) of the Treaty on the Functioning of the European Union (TFEU). Here is the question posed to the Court of Justice of the European Union (CJEU):

“Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC) having regard to Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union (2000/C 364/01), the provisions of Article 25(6) of Directive 95/46/EC notwithstanding? Or, alternatively, may the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?”

To paraphrase, the national court is asking whether a national data protection agency can disregard the European Commission Decision 2000/520/EC of 26 July 2000 on the adequacy of protection provided by the EU-US ‘safe harbour’ framework [and eventually, if it so deems after investigation, hold that the US legal system does not ensure an adequate level of protection of personal data as found in the EU and therefore should suspend data flows between the US and the Member State (MS) in which it operates]?

What does the AG answer? 2 important things:

1. Despite Article 25(6) of the Data protection Directive providing that  “Member States shall take the measures necessary to comply with the Commission’s decision”, the AG interprets Article 28 of the Directive in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter) as meaning that “the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third party country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data”.
2. The EU Commission Decision 2000/520/EC of 26 July 2000 finding that the US legal system provides ‘adequate’ protection is invalid.

How did the AG come to the conclusion that national data protection agencies can disregard the EU Commission’s findings? Such a conclusion is not directly derived from the declaration of invalidity of the EU Commission’s decision [and this might be why some might say that the AG’s opinion is problematic… although his opinion rightly casts doubts on the legitimacy of the safe harbour framework and on the validity of the EU Commission’s decision].

So why is it that a national data protection agency (also called a national supervisory authority) is entitled to disregard the EU Commission’s decision and its findings as regards the adequacy of the US legal system?

The Irish Commissioner had taken the view that the “nature and very existence of Decision 2000/520 prevented him from examining this question” (i.e. from examining whether the US legal system was adequate). Given the way shared competences between the EU and MSs is traditionally understood, such a conclusion was not entirely surprising. The Irish Commissioner must have thought that by adopting its Decision the EU Commission had pre-empted future national measures on the same point. The only way to ‘re-give’ national data protection agencies the necessary leeway for them to investigate a complaint in this area was to attack the validity of the EU Commission’s decision.

However, given the way the AG constructed its opinion, it does not seem that a declaration of invalidity was necessary to allow MSs to conduct their own investigations as to the adequacy of the US legal system. [Para 89 is slightly confusing though, as the AG states that “A Commission decision does, admittedly, play an important role in ensuring uniformity in the transfer conditions applicable in the Member States. However, that uniformity can continue only while that finding is not called in question”. So why not simply start by looking at the validity of the EU Commission’s decision?]

It is true that Schrems had not directly challenged the validity of the EU Commission’s decision or even the validity of the Data protection Directive.

However, before recognising that “even where a request to the Court for a preliminary ruling relates solely to the interpretation of EU law the Court may, in certain specific circumstances, find it necessary to examine the validity of provisions of secondary law”, the AG is able to answer the question posed to the CJEU.

The following might be a way to justify the AG’s approach: before looking at the validity of the EU Commission’s decision, he mentions at para. 100 that MSs “must not only interpret their national law in a manner consistent with EU law but also make sure they do not rely on an interpretation of secondary legislation which would be in conflict with the fundamental rights protected by the European Union Legal order or with the other general principles of EU law. (See, in particular, judgment in N.S.and Others C‑411/10 and C‑493/10, EU:C:2011:865, paragraph 77 and the case-law cited).”. [Is this a correct extrapolation of N.S and Others? Are we not indirectly giving MSs the power to assess the validity of EU instruments?]

As regards the assessment of the validity of the EU Commission’s decision, the AG might appear more convincing, although his opinion is not without problems.

Rightly, he starts his analysis by stating that “the validity of [an EU] measure might, in certain cases, be assessed by reference to new factors which arose after its adoption” (para 132).

The AG also correctly stresses the importance of an adequacy decision and affirms that “it must be regularly reviewed by the Commission” (para. 137).

The AG goes on to say that “the only criterion that must guide the interpretation of [the word ‘adequate’] is the objective of attaining a high level of protection of fundamental rights, as required by Directive 95/46”. Once again this is a perfectly legitimate statement.

Where it becomes more contentious is when the AG states at para. 145 that “within the European Union the prevailing notion is that an external control mechanism in the form of an independent authority is a necessary component of any system designed to ensure compliance with the rules on the protection of personal data”.

Such a statement seems to find some of its roots in the CJEU’s decision in the Digital Rights Ireland case. At para. 62, the CJEU had noted in this case that “Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions”. This consideration played an important role in justifying its declaration of the invalidity of the Data Retention Directive 26/24/EC in that case. [For a discussion on the importance of such a factor, see my previous post here. However the CJEU was not really speaking about national data protection agencies when it referred to a court or an independent administrative body, or was it?].

Moreover, even if the AG is right when he says that the principle of proportionality should also apply in cases in which measures of national security are at stake [the PRISM programme could be seen as a measure of national security in some ways] and hence rightly interprets Art. 13 of the Data Protection Directive, the AG seems to be suggesting that even in these cases the review of the measures will be strict (see para.189). [What the case law of the European Court of Human Rights (ECtHR) shows, however, is that the ECtHR has been more deferential to states’ interests in cases in which measures of national security are at stake. Isn’t this what is happening in Weber? Notably the Digital Rights Ireland case did not involve a measure of national security as such].

Second, the AG seems also to work from the assumption that “it is excluded for the EU legislature or the Member States to adopt legislation, contrary to the Charter, providing for mass and indiscriminate surveillance”. He thus concludes in a syllogism that “third countries cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of citizens of the Union where their rules of law do in fact permit the mass and indiscriminate surveillance and interception of such data”.

Even if these statements are made loud and clear [and should be welcome], isn’t it the case that they are too bold in the sense that they do not reflect positive law [but the law is in the making I hear you saying!]? The CJEU never held in Digital Rights Ireland that measures of mass surveillance can never be justified. Besides, the English High Court in the Davis case interpreted the CJEU’s decision as stating that what was crucial was to have an appropriate access regime in place [by the way, the negotiations of the EU-US data protection “Umbrella agreement” have just been finalised]. And what did the French legislator do a few months ago (see my post here)?

I wonder, could the AG define what a measure of ‘mass surveillance’ is?

Obviously, the CJEU is not bound to follow the AG’s opinion, but if it does, the ruling could have a significant impact on organisations that currently rely on the EU-US safe harbour framework.

To conclude, would it be possible for the CJEU to be as ‘creative’ as the English High Court in the Davis case and suspend the disapplication of an EU Commission’s decision while declaring it invalid?

Sophie Stalla-Bourdillon