01 October 2015
Austrian Law Student Maximillion Schrems made a complaint to the Irish Data Protection Authorities in light of Edward Snowden’s revelations about the US National Security Agency’s mass surveillance of Facebook data in the US. He requested that the Irish Authority investigate Facebooks arrangements for the security of European citizen’s data where it is held on servers in the US. In doing so he has conjured up a privacy storm in the already choppy waters of the Commissions Safe Harbour under Decision 2000/520/EC of 26 July 2000.
The Irish authorities declined to look behind the Safe Harbour data sharing arrangements. However the Irish High Court made a referral to the Court of Justice of the European Union asking whether or not the decision prevented a national authority from looking behind the Safe Harbour and Decision 2000/520/EC.
Advocate General Yves Bot has considered that question and has indicated “that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.”
He also considered the validity of Decision 2000/520E, concluding that it and the related frequently asked questions issued by the Department of Commerce of the United States of America is invalid because “owing to the breaches of fundamental rights…, the safe harbour scheme …cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme.”
The Court of Justice of the European Union is not bound to follow the opinion of the Advocate General but it often does and the Court will find it difficult to ignore the Advocate General’s criticism that the Decision does not provide European citizens with the level of protection guaranteed in the Directive. It will also require to address the criticism that mass indiscriminate surveillance in the US interferes with fundamental rights and is contrary to the principle of proportionality which when taken together with the lack of effective judicial oversight fundamentally undermines rights protected by the European Charter.
Max Schrems has indicated that the Courts determination is to be delivered on 6th October 2015. If the Court follows the Advocate General’s opinion on this matter The Decision will have substantial implications for any organisations involved in EU US data sharing. If this opinion does signal the end of the Safe Harbour organisations will require to put in place their own contractual security provisions using Standard Contractual Clauses or may seek to establish Binding Corporate Rules if they are unable to transfer under any of the derogations in the Directive.
The effect of the decision signals a potentially costly development for business if the Commission cannot achieve an appropriate adequacy settlement in its review of the Safe Harbour arrangements commenced in the context of the decision Agrarproduktion Staebelow (C‑504/04 EU).
The decision will also place an additional investigatory obligation on National Authorities raising questions about their ability to investigate international adequacy findings and the resourcing of that exercise. We will soon know which direction the wind will be blowing.
For further information please contact Paul Motion on T: 0131 222 2939 or email us at email@example.com