On March 24, 2015, the Court of Justice of the EU (CJEU) heard arguments in Case C-362/14 (Schrems). The High Court of Ireland has asked the CJEU whether Ireland’s data protection authority (DPA) — and by extension other EU DPAs — is bound by the Commission’s adequacy decision (Decision 520/2000/EC) with respect to the EU-US Safe Harbor framework, or whether the authority may, or must, conduct an independent investigation into the adequacy of the Safe Harbor in light of subsequent factual developments (potentially prohibiting use of the framework for EU to U.S. transfers).
The impact of the case could be wide-ranging, as thousands of organizations currently rely on the Safe Harbor for transferring personal data from the EU to the U.S., rather than alternative data transfer mechanisms. Max Schrems, the applicant in the underlying Irish proceedings, argued that given recent allegations as to the freedom with which U.S. intelligence agencies can access EU-originating data from Safe Harbor companies, the Safe Harbor no longer provides adequate protection as a matter of EU law.
The hearing revealed deep differences of opinion. On the one hand, representatives of the European Commission and Irish data protection authority took the lead in arguing that all EU DPAs must respect the Commission’s 2000 Safe Harbor decision, and that only the Commission may suspend Safe Harbor transfers, unless the narrow grounds for DPA-led suspensions of data transfers under Article 3(1) of the Safe Harbor decision apply. They therefore argue that until revoked, the Safe Harbor overrides DPAs’ powers under Article 28 of the Data Protection Directive to block data exports.
By contrast, parties that included EU Member States such as Austria, Belgium, Poland and Slovenia, the European Parliament, the European Data Protection Supervisor, Digital Rights Ireland (an Irish pro-privacy NGO), and, of course, Max Schrems, argued that if it is the case that the Commission decision prevents DPAs from exercising their Article 28 powers in full, then that decision is contrary to Article 8 of the European Charter of Fundamental Rights (for failing to ensure protection of personal data and/or control by a truly “independent” authority), and should either be struck down or disregarded by DPAs.
The Schrems case is the latest in which the CJEU has evaluated the EU’s data protection regime. The CJEU last year took the rare step of invalidating the EU Data Retention Directive on privacy grounds (Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland and Seitlinger and others). That case, together with others over the last decade, indicates that the CJEU takes privacy very seriously, often giving it precedence over competing commercial, national security and/or law enforcement aims.
The Schrems case could decide the extent to which the Commission is empowered to make binding adequacy decisions applicable throughout the EU, preventing national DPAs from interceding where they feel the fundamental privacy rights of their citizens are threatened. A decision favorable to the applicant, Schrems, could prove hugely disruptive to industry, which has relied heavily upon the Safe Harbor to date, since it would allow Member States to suspend the Safe Harbor as a means of transferring data to the U.S.
Such a ruling could have an unintended broader impact, as well, by undermining other existing data transfer mechanisms predicated upon Commission decisions. In a sign of the potential importance of the case, the CJEU has allocated a full 15-person bench to the case that includes some of the CJEU’s most senior judges, notably the CJEU’s President, Vice-President, and several Chamber Presidents. Approximately half of the judges overseeing this case heard arguments in the Digital Rights Ireland case.
Following this week’s hearing, former French public prosecutor Yves Bot will render the Advocate-General opinion for the case (likely by June 24). The judge assigned primary responsibility for the case (the Judge Rapporteur), Thomas von Danwitz, will then canvass the views of all judges assigned to the case ahead of final judgment.
Bot and von Danwitz have both worked on important CJEU data protection cases in the past. Bot was Attorney General in Case C-301/06 Ireland v Parliament and Council (a 2008 challenge to the Data Retention Directive), Case C-557/07 LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten (compatibility of copyright enforcement monitoring with EU data protection rules), and Case C‑43/12 Commission v Parliament and Council (legality of cross-border data on road traffic offences).
Von Danwitz, meanwhile, was also Judge Rapporteur in the Digital Rights Ireland case – this, along with the wider make-up of the bench, perhaps does not bode well for the Safe Harbor. Meanwhile, the Commission continues to engage in high-level discussions with U.S. authorities over revamping the Safe Harbor.