Data protection / data protection agencies / Privacy / safe harbour

DPAs or national supervisory authorities and the CJEU in Schrems: what does it mean to “engage in legal proceedings”?


The CJEU has definitely been very bold in its recent decision in Schrems v Data Protection Commissioner. While the judgement of the CJEU is more convincing than the opinion of the Advocate General (see my posts here and here), it is obviously not perfect. [But I wonder, perhaps naively: shouldn’t the CJEU’s decision be seen as an opportunity, rather than a provocation?] One of the most “original” points [whether the idea really “originated” from the CJEU is not entirely clear though, as this post will show] is para. 65 of the judgement.

Para. 65 reads as follow:

“In the converse situation, where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) of the Charter, be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity”

The English-language version of the decision therefore speaks about a legal remedy that should enable the national data protection authority (DPA) to put forward its objections regarding the validity of a Commission’s act. What does “legal remedy” really mean in this context? A remedy is usually ordered by a judge to solve a particular legal matter in the form of damages, or a command to perform or stop a conduct. One could thus maybe try to argue that it would suffice to allow DPAs to make (amicus curiae) submissions to national courts [as such submissions are not necessarily the rule and have to be accepted by the Court].

Such a reading would, however, provide a quite lenient interpretation of the expression “engage in legal proceedings” to be found in the first sentence of para. 65. In this sense, to “engage in legal proceedings” would not necessarily mean to be a party to a legal proceeding but would be interpreted as imposing only an obligation to enable ‘participation’ in the legal proceedings.

A slightly different reading could lay emphasis upon the CJEU’s edict in the first sentence of para. 65, rather than the second. The CJEU could be read as stating that, while it is incumbent upon member states to recognise DPA’s capacity to engage in legal proceedings, it would not necessarily mean that the most obvious path to challenge the validity of a Commission’s decision would be to do it before a national court. A direct action before the CJEU under Article 263 TFEU might be a better avenue when the conditions for standing applicable to non-privileged applicants are met (as individual concern is not required for standing to challenge regulatory acts anymore). However, as the timeframe for such an action is very tight (two months from the publication of the measure) this is not necessarily a very attractive interpretation.

Reading the French version of the decision, the language of the CJEU seems less obscure [it should be noted that while the language of the case was English, the working language of the CJEU is French].

Here is the French version of para. 65:

« Dans l’hypothèse contraire, où ladite autorité estime fondés les griefs avancés par la personne l’ayant saisie d’une demande relative à la protection de ses droits et libertés à l’égard du traitement de ses données à caractère personnel, cette même autorité doit, conformément à l’article 28, paragraphe 3, premier alinéa, troisième tiret, de la directive 95/46, lu à la lumière notamment de l’article 8, paragraphe 3, de la Charte, pouvoir ester en justice. À cet égard, il incombe au législateur national de prévoir des voies de recours permettant à l’autorité nationale de contrôle concernée de faire valoir les griefs qu’elle estime fondés devant les juridictions nationales afin que ces dernières procèdent, si elles partagent les doutes de cette autorité quant à la validité de la décision de la Commission, à un renvoi préjudiciel aux fins de l’examen de la validité de cette décision ».

The expression “ester en justice” clearly means that the ambition is to make DPAs become party to a legal proceeding. This appears all the more true from the fact that the French version uses the expression “voies de recours” in the sense of “avenues of redress”, rather than “legal remedies”, strictly speaking.

If I take the example of the French DPA, which is sometimes described as one of the most “engaged” DPAs in Europe, the CNIL is what the French call an independent administrative authority (IAA).

Under Article 45 of the French Data Protection Act (Loi Informatique et libertés), the CNIL’s President may seek a judicial order in summary proceedings (“référé”) to require the implementation of security measures, necessary to protect the fundamental rights of data subjects, in cases in which it there is a serious and immediate violation of these rights.

In a document dated 13 January 2015, the CNIL suggested that it would be appropriate to enlarge the scope of the summary proceedings and make it possible for the DPA to require all sort of measures (not necessarily security measures) including measures ordering the suspension of processing activities before it issues a final sanction decision.

A measure to suspend processing activities thus seems to be seen as a temporary precautionary measure. Notably, it would be issued by a judge and not the CNIL.

Here is what the CNIL recommends in French: “actuellement la CNIL a la possibilité de saisir le juge des référés, mais uniquement pour que soient mises en œuvre, sous astreinte, les «mesures de sécurité» nécessaires. Il est proposé de supprimer les mots «de sécurité» pour que la CNIL puisse, de manière générale, saisir le juge des référés de toute demande tendant, notamment, à l’exécution de ses décisions de sanctions ou à la suspension d’un traitement“.

How do other DPAs operate on the continent? The “creativity” of the CJEU has not been received very warmly by commentators based in the UK. Could they now say that the CJEU’s creativity is the result of French exuberance?

Interestingly, the French administrative Supreme Court (Conseil d’Etat) held in 2008 that the CNIL is a tribunal within the meaning of Article 6-1 of the European Convention of Human Rights when it exercises a power of sanction. Could this mean that the CNIL could actually make use of Article 267 TFEU and refer a preliminary question to the CJEU or is this too simple? Obviously national categorizations do not bind the CJEU….

Sophie Stalla-Bourdillon

Leave a Reply