The Data Protection Directive provides that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of data protection. The directive also provides that the Commission may find that a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is kept. Mr Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency ‘the NSA’), the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme, the United States ensures an adequate level of protection of the personal data transferred.
The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.
More particularly, it referred to following questions to the CJEU:
Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC1 ) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/012 ), the provisions of Article 25(6) of Directive 95/46/EC3 notwithstanding?
Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?
In his opinion, the Advocate General Yves Bot takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data. He considers furthermore that the Commission decision is invalid.
In more particular, he concludes that:
1) Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
2) Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
Admittedly, it is not sure that the Court will follow the opinion of the Advocate General. Nevertheless, it will certainly influence the future decision of the Court and it may lead to the affirmation that national data protection authorities retain the right to investigate complaints against third countries that allegedly infringe data subject's rights.
It also becomes clear that, in view of Edward Snowden's revelations, the Decision 2000/520/EC is unjustified and should be annulled. What is also important is Advocate General's view that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter of Fundamental Rights. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.