This week the Court of Justice of the European Union (‘CJEU’) heard a case that could destabilise data flows between the US and EU under the EU-US Safe Harbor Decision. In Schrems v Data Protection Commissioner (C-362/14), the same court that last year approved the “right to be forgotten” online heard evidence about the adequacy of US data protection regulations for EU citizens’ data and considered whether recent revelations about the NSA and PRISM programmes should affect determinations of national data protection authorities. The Safe Harbor Decision explicitly accepts that adherence to the Safe Harbor Principles may be limited to the extent necessary to meet national security, public interest, or law enforcement requirements. The CJEU will have to determine whether national data protection authorities are bound by this determination made by the European Commission (‘EC’) in the year 2000.

Background

Claimant Max Schrems argued that the EU-US Safe Harbor self-certifications no longer guarantee the privacy rights of EU citizens, as personal data is not adequately protected when it is transferred to the US due to government surveillance. He asked the Irish Data Protection Commissioner (DPC) to stop Facebook Ireland Ltd (Facebook’s European headquarters) from transferring data to the Facebook US headquarters, but the DPC refused to grant the request. Schrems appealed to the Irish courts, which referred two questions to the CJEU.

Legal Questions Referred

• Is a national DPC bound by an adequacy decision of the EC for a third country, if it is claimed that the laws and practices of that third country do not contain adequate protections for a data subject?
• Must national DPCs conduct their own investigations as to the adequacy of the third country’s laws and practices, in light of factual developments since the EC’s adequacy decision?

Hearing Summary

Schrems argued that DPCs and the Commission have a duty to protect citizens against violations of privacy rights. Complaints must be investigated and, where data protection is inadequate, data flows to the US should be suspended. By ignoring complaints, DPCs fetter their discretion. Schrems argued that Safe Harbor was illegal when it was adopted in 2000 and, in light of PRISM and NSA surveillance, is "even more illegal". Schrems’s case was built on last year’s case by Digital Rights Ireland in which the CJEU struck down as invalid an EU directive that had allowed data retention in the EU [press release]. Schrems was supported by submissions from Member States including Austria, Belgium and Poland.

The Irish DPC argued that it was bound by the EC’s prior decision on the adequacy of the EU-US Safe Harbor self-certifications in ensuring data protection for EU citizens’ data. Schrems had not suffered harm and there was no case for the Irish DPC to investigate – the exposure of data to surveillance as disclosed by Snowden is not enough. The Irish DPC argued that "international diplomacy" – not the courtroom – is the best forum for discussing data transfer issues between the EU and US and that responsibility lies not with the Irish DPC but with the EC.

While the questions referred turn on the discretion of DPCs, much of the hearing focussed on the adequacy of US privacy laws and regulations. The CJEU repeatedly considered Article 25 of the Data Protection Directive and asked whether companies compliant with Safe Harbor self-certifications can genuinely ensure the protection of citizen data. In light of US surveillance practices, lawyers for the EC reportedly admitted that the adequate protection of EU citizen data cannot currently be guaranteed, and instead focussed on the economic consequences of a suspension of the Safe Harbor provisions, including a digital advertising market valued at over US$34.81 billion.

Lawyers for the European Data Protection Supervisor (‘EDPS’), where EU national DPCs meet, recommended that the court balance privacy and potential market disruption but noted that if ongoing negotiations between the US and EC on revising Safe Harbor did not lead to substantial revisions, then EDPS counsel would recommend that the EU suspend Safe Harbor provisions.

The lead judge on the case, Thomas von Danwitz, reportedly appeared sympathetic to Schrems. The Advocate-General’s non-binding but typically influential opinion is expected 24 June 2015. The CJEU is expected to issue its judgment 3-4 months later.

This post was prepared with the assistance of Calum Docherty in the London office of Latham & Watkins.