Blog

2015. August 23.

TRANSFER OF PERSONAL DATA BASED ON THE LEGAL BASE OF SAFE HARBOUR IS DECLARED INVALID BY THE CJEU


  1. facts

The underlying procedure concerns an Austrian citizen, Mr.Schrems, a Subscriber of the social network, Facebook and the Irish Data Protection Authority (hereinafter: the “DPA”). Facebook subscribers residing in the European Union are asked to sign a contract with Facebook Ireland, a subsidiary of Facebook Inc. established in the United States (‘Facebook USA’). Some or all of the data of subscribers to Facebook Ireland residing in the EU is transferred to Facebook USA’s servers in the United States, where it is kept on the basis of „Safe Harbour Treaty”[1]. Mr.Schrems filed a complaint to the Irish Commissioner (hereinafter referred to as: the “DPA”) stating that the law and practices of the US offer no real protection of the data kept in the US against State surveillance as he deemed that his data were accessed by the National Security Agency (NSA)and therefore the DPA’s obligation is to protect his fundamental rights.

The DPA rejected the complaint stating that the adequate level of protection in the US is ensured by the Safe Harbor Decision of the Commission and as such, it is bound by the Commission’s Decision.

  1. Questions raised by the case

Assessing the arguments of the parties in the underlying case the High Court of Ireland referred the following questions to the CJEU:

  1. Does the so called Safe Harbour Decision of the Commission has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection with regard to Article 7, 8 and 47 of the CHFR and Article 25(6) of the DPA Directive; or

 

  1. Shall the national supervisory authority investigate such complaints in the light of the factual developments, which occurred since the Safe Harbour Decision was first published in the year 2000.

 

III. rights invoked in question

The factual basis of the case raises the concern for the evaluation of the Safe Harbor Decision in the light of Articles 7[2], 8[3] and 47[4] of the Charter of Fundamental Rights of the European Union (‘the Charter’) and of Article 25(6)[5] of Directive 95/46 (“DPA Directive”).

  1. analyses of the advocate general yves bot

AG Bot determines that in his view the existence of a decision adopted by the Commission on the basis of Article 25(6) of DPA Directive cannot eliminate or even reduce the national supervisory authorities’ powers under that directive. On the contrary, if the national supervisory authorities receive complaints, it does not prevent them of their independence, from forming their own opinion on the general level of protection ensured by a third country. In this regard it makes reference to the recital of the DPA Directive as to “the establishment of national supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data” and concludes that this requirement derives also from the primary law of the European Union, in particular from the invoked Article 8(3)[6] of the ChFR, from TFEU[7] itself and the CJEU’s practice as well, when it states that “the supervisory authorities are the guardians of those fundamental rights and freedoms”.

AG Bot calls that the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the ChFR of the EU, ie. the right to respect for private and family life and the right to the protection of personal data. However, it states that it is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU, without those citizens benefiting from effective judicial protection.

Such access of the US intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data and that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by those intelligence services is mass, indiscriminate surveillance.

Conclusively, AG Bot states that should the CJEU find infringements of the fundamental rights of EU citizens, the Commission shall suspend the application of the Safe Harbour Decision.

  1. Judgment of the cjeu

The Court of Justice upholds the main findings of the Advocat General and states the following.

It is now expressed by the CJEU that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the ChFR of the EU and the DPA directive and thus prevent their oversight on the transfer of personal data to third countries.

Thus, even if the Commission has adopted a decision, the national supervisory authorities, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the DPA Directive.

the Court observes that the scheme provided by the Safe Harbour Decision is applicable solely to the United States undertakings, which adhere to it, and United States public authorities are not themselves subject to it, albeit national security, public interest of the United States prevail over the safe harbour scheme, so the United States undertakings are bound to disregard, without limitation, the rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

  1. summary

The above ruling of the CJEU serves as a landmark decision, whereas it clarifies the powers of the national supervisory authorities vis-à-vis of a decision adopted by the Commission on adequate level of protection and thus have a great impact on the domestic regulation of the legal basis on the transfer of personal data to third countries and the respective practice of the Hungarian data protection authority.

[1]             In Hungary, the Section 8.§ (1-2) of the Data Protection Act provides for the possibility of data transfer to USA on the legal basis of the Safe Harbor.

[2]              Article 7 of the ChFR„Everyone has the right to respect for his or her private and family life, home and communications”

[3]              Article 8 of the ChFREveryone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.”

[4]             Article 47 of the ChFR „Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article. Everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. Everyone shall have the possibility of being advised, defended and represented.

Legal aid shall be made available to those who lack sufficient resources in so far as such aid is necessary to ensure effective access to justice.”

[5]             Article 25 (6) of the DPA Directive „The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.”

[6]             Article 8 (3) of the DPA Directive „Compliance with these rules shall be subject to control by an independent authority”

[7]             Article 16 (2) of the TFEU „The European Parliament and the Council, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.”