Here we are: less than 2 weeks after the issuance of the opinion of the Advocate General (AG) Bot in the case Schrems v Data Protection Commissioner (see my post here) the Court of Justice of the European Union (CJEU) declared today that the US-EU safe harbour framework was invalid! While this is definitely one the boldest decisions of the CJEU, it is also one of its clearest! [In its quest for a high level of protection of personal data, the CJEU has also reached a high level of legal argumentation! To clarify my thoughts, whether the decision is politically or economically sound is a slightly different question. Above all, whether the European Union has the means (and the will… looking at the burgeoning of national surveillance laws) to achieve the CJEU’s ambition is not that obvious!].

More precisely, the CJEU held today that:

1. Article 25(6) of the Data Protection Directive read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (Charter), must be interpreted as meaning that the Commission Decision 2000/520/EC of 26 July 2000 concerning the adequacy of the US legal system does not “prevent a supervisory authority of a Member States, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”.
2. The Commission’s Decision 2000/520 is invalid.

Why is the CJEU’s decision better than the AG’s opinion?

1. If the CJEU does mention that the “establishment in Member States of independent supervisory authorities is …. an essential component of the protection of individuals with regard to the processing of personal” (para. 42) this is “only” to insist upon the key role played by national supervisory authorities in the enforcement process. It is indeed crucial that these independent supervisory authorities be able to exercise their investigative powers, even in cases in which the EU Commission has issued a decision of adequacy on the ground of Article 25. [Laws are not engraved in stone anymore!]. In para. 47, the CJEU thus recalls that “the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data, each of them is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down by Directive 95/46”.
2. This being so, the CJEU is very careful to explain that the granting of an investigatory power to national supervisory authorities even when the EU Commission has issued a decision of adequacy does not entitle these authorities to declare an EU act invalid [as I discussed here this was not expressly stated in the AG’s opinion although it might have been obvious]. Para. 52 expressly states that “until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection”. More precisely, “where a person whose personal data has been or could be transferred to a third party which has been the subject of [a Commission’s decision] lodges … a claim concerning the protection of his rights and freedoms in regard to the processing of that data and contests, in bringing the claim… the compatibility of that decision with the protection of the privacy and of the fundamental rights and freedoms of individuals, it is incumbent upon the national authority to examine the claim with all due diligence”. Supervisory authorities have thus a duty to investigate in such circumstances! Moreover para. 65 states that “it is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity”. Not only have data subjects a right to be heard, but also national supervisory authorities! [Does it mean that national supervisory authorities can’t suspend data flows while waiting for the decision of the EU Commission? The invalidation of Article 3 of Decision 2000/520 would suggest the contrary. Was this really needed?].
3. As regards the CJEU’s analysis of the validity of the Commission’s decision, the Court undertakes a systematic examination of the safe harbour framework and the Commission’s action since the adoption of its adequacy decision.
   • The CJEU insists, just like the AG had done in his opinion, that an adequate level of protection is a level of protection that is essentially equivalent to that guaranteed within the EU by virtue of the Data Protection Directive and the Charter read together. The CJEU also adds that circumstances arising after the decision’s adoption must also be taken into account (para. 76) (this is also what the AG had said in his opinion).
   • The CJEU goes however further in its analysis of the Commission’s decision in that it attempts to determine whether the methodology used by the Commission was the correct one. In assessing the legal order of a third country, the EU Commission shall “assess the content of the applicable rules in that country resulting from its domestic law or international commitments and the practice designed to ensure compliance” said the CJEU. (para. 75). [The exercise cannot consist in a purely legalistic assessment]. Importantly, the CJEU found that the Commission’s decision did not contain “sufficient findings regarding the measures by which the United States ensures an adequate level of protection, within the meaning of Article 25(6) of that directive, by reason of its domestic law or its international commitments”. In addition, the Commission’s decision did not “contain any finding regarding the existence, in the United States, of rules adopted by the State intended” to limit the scope of the safe harbour framework, even if these rules have been adopted to pursue legitimate objectives such as national security (para. 88). The Commission’s decision does not adopt an overall approach and only focuses upon the law as it is in the context of commercial disputes (para. 89).
   • Moreover, the EU Commission did recognise in a later document (Communication COM(2013) 847 final that “the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security”. The Commission had also acknowledged that “data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased” [this is really important!].
   • Furthermore, the CJEU explains quite clearly why derogations and exceptions to the application of the fundamental right to respect for private can only be “strictly necessary”. A strict scrutiny is warranted as per Digital Rights Ireland and Others because:
     • “legislation permitting the public authorities to have access on a generalised basis to the content of electronic   communications must be regarded as compromising the essence of the fundamental right to respect for private life” (para. 94) [Note that only Article 7 is mentioned here!]
     • “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter”.
   • [Note in passing that the exceptions to the safe harbour are crafted in very broad terms (national security, public interests, or law enforcement requirements) (para. 86)].
4. Finally, even if the CJEU does not hold that legislation that “authorises on a generalised basis, storage of all the personal data of all the persons” of the EU is per se contrary to what a high level of protection requires, it holds that this is the case when no “differentiation, limitation or exception [are] made in the light of the objective pursued” and when no “objective criterion [is] laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail” (para. 93). “Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter“. (para. 95) [Hence the importance of access regimes as mentioned here and here. But this also means that access regimes are not the sole safeguards to put in place!].

To conclude, it could seems that Article 7 of the European Charter really goes beyond Article 8 of the European Convention on Human Rights! [Or could the European Court of Human Rights be as bold?]

To the governments of each Member State (so not only to that of the US), the ball is in your courts…. to have a fresh look at your current or soon-to-be adopted surveillance laws!

Sophie Stalla-Bourdillon