The Party’S Over: Eu Information Protection Constabulary Later On The Schrems Prophylactic Harbour Judgment

Steve Peers

The human relationship betwixt tidings together with police delineate enforcement agencies (and companies similar Google together with Facebook) together with personal information is much similar the human relationship betwixt children together with sweets at a birthday party. Imagine you’re a parent bringing out a huge bowl total of sweets (the personal data) during the birthday political party – together with and so telling the children (the agencies together with companies) that they can’t stimulate got any. But how tin you lot enforce this rule? If you lot larn out the room, fifty-fifty for a moment, the sweets volition last gone within seconds, no thing how fervently you lot insist that the children larn out them lone spell you’re out. If you lot rest inwards the room, you lot volition confront incessant together with increasingly shrill demands for access to the sweets, based on every conceivable self-interested together with guilt-trippy argument. If you lot attempt to enshroud the sweets, the children volition overturn everything to reveal them again.

When children reveal their demands thwarted past times a strict parent, they stimulate got a time-honoured circumvention strategy: “When Mummy says No, inquire Daddy”. But inwards the Safe Harbour case, things stimulate got happened the other way around. Mummy (the Commission) barely fifty-fifty resisted the children’s demands. In fact, she said Yes hours ago, together with retired to the bathroom amongst an enormous drinking glass of wine, occasionally shouting out feeble admonitions for the children to tone downward their sugar-fuelled rampage. Now Daddy (the CJEU) is home, shocked at the chaos that results from lax parenting. He has at nowadays stopped the provide of farther sweets. But the identify is total of other sugary treats, together with all the children are at nowadays crying. What now?

In this post, I’ll examine the reasons why the Court lay its human foot down, together with invalidated the Commission’s ‘Safe Harbour’ conclusion which allows transfers of personal information to the USA, inwards the recent judgment inwards Schrems. Then I volition examine the consequences of the Court’s ruling. But I should in all probability acknowledge for the tape that my parenting is to a greater extent than similar Mummy's than Daddy's inwards the higher upwards example. 

Background

For to a greater extent than on the background to the Schrems case, see here; on the hearing, reckon Simon McGarr’s summary here; together with on the Advocate-General’s opinion, see here. But I’ll summarise the basics of the instance over again briefly.

Max Schrems is an Austrian Facebook user who was disturbed past times Edward Snowden’s revelations almost majority surveillance past times U.S.A. tidings agencies. Since he believed that transfers of his information to Facebook were land of written report to such majority surveillance, he complained to the Irish Gaelic information protection authority, which regulates Facebook’s transfers of personal information from the European Union to the USA.

The noun police delineate governing these transfers of personal information was the ‘Safe Harbour’ understanding betwixt the European Union together with the USA, agreed dorsum inwards 2000. This understanding was lay into effect inwards the European Union past times a decision of the Commission, which was adopted pursuant to powers conferred upon the Commission past times the EU’s electrical current information protection Directive. The latter police delineate gives the Commission the ability to determine that transfers of personal information exterior the European Union have an ‘adequate aeroplane of protection’ inwards exceptional countries.

The ‘Safe Harbour’ understanding was enforced past times self-certification of the companies that stimulate got signed upwards for it (note that non all transfers to the USA barbarous within the reach of the Safe Harbour decision, since non all American companies signed up). Those promises were inwards plough meant to last enforced past times the U.S.A. authorities. But it was also possible (not mandatory) for the national information protection government which enforce European Union information protection police delineate to suspend transfers of personal information nether the agreement, if the U.S.A. government or enforcement arrangement found a breach of the rules, or on a listing of limited grounds laid out inwards the decision.

The Irish Gaelic information protection potency refused to consider Schrems’ complaint, so he challenged that conclusion earlier the Irish Gaelic High Court, which doubted that this arrangement was compatible amongst European Union police delineate (or indeed the Irish Gaelic constitution). So that courtroom asked the CJEU to dominion on whether national information protection government (DPAs) should stimulate got the ability to foreclose information transfers inwards cases similar these.

The judgment

The CJEU outset of all answers the inquiry which the Irish Gaelic courtroom asks almost DPA jurisdiction over information transfers (the procedural point), together with and so goes on to dominion that the Safe Harbour conclusion is invalid (the noun point).

Following the Advocate-General’s view, the Court ruled that national information protection government stimulate got to last able to consider claims that flows of personal information to tertiary countries are non compatible amongst European Union information protection laws if in that location is an inadequate aeroplane of information protection inwards those countries, fifty-fifty if the Commission has adopted a conclusion (such as the Safe Harbour decision) declaring that the aeroplane of protection is adequate. Like the Advocate-General, the Court based this conclusion on the powers together with independence of those authorities, read inwards lite of the European Union Charter of Fundamental Rights, which expressly refers to DPAs’ role together with independence. (On the recent CJEU instance police delineate on DPA independence, reckon give-and-take here). In fact, the novel European Union information protection police delineate currently nether negotiation (the information protection Regulation) volition probable confirm together with fifty-fifty get upwards the powers together with independence of DPAs. (More on that facial expression of the proposed Regulation here).

The Court together with so elaborates upon the ‘architecture’ of the EU’s information protection arrangement as regards external transfers. It points out that either the Commission or Member States tin determine that a tertiary province has an ‘adequate’ aeroplane of information protection, although it focusses its analysis upon what happens if (as inwards this case) in that location is a Commission conclusion to this effect. In that case, national government (including DPAs) are natural springtime past times the Commission decision, together with cannot number a reverse ruling.

However, individuals similar Max Schrems tin soundless complain to the DPAs almost alleged breaches of their information protection rights, despite the adoption of the Commission decision. If they produce so, the Court implies that the validity of the Commission’s conclusion is hence existence called into question. While all European Union acts must last land of written report to judicial review, the Court reiterates the commons dominion that national courts can’t declare European Union acts invalid, since that would fragment European Union law: alone the CJEU tin produce that. This restriction applies as to national DPAs.

So how tin a Commission conclusion on the adequacy of tertiary countries’ information protection police delineate last effectively challenged? The Court explains that DPAs must consider such claims seriously. If the DPA thinks that the claim is unfounded, the disgruntled complainant tin challenge the DPA’s conclusion earlier the national courts, who must inwards plough raise the number of the validity of the conclusion to the CJEU if they retrieve it may last good founded. If, on the other hand, the DPA thinks the electrical load is well-founded, in that location must last rules inwards national police delineate allowing the DPA to larn earlier the national courts inwards gild to larn the number referred to the CJEU.

The Court together with so moves on to the noun validity of the Safe Harbour decision. Although the national courtroom didn’t inquire it to examine this issue, the Court justifies its conclusion to produce this past times reference to its overall analysis of the architecture of European Union information protection law, as good as the national court’s doubts almost the Safe Harbour decision. Indeed, the Court is effectively putting its novel architecture into utilisation for the outset time, together with it’s quite an understatement to say that the national courtroom had doubts almost Safe Harbour (it had compared surveillance inwards the USA to that of Communist-era East Germany).

So what is an ‘adequate aeroplane of protection’ for personal information inwards tertiary countries? The Court admits that the Directive is non clear on this point, so it has to translate the rules. In the Court’s view, in that location must last a ‘high’ aeroplane of protection inwards the tertiary country; this does non stimulate got to last ‘identical’ to the European Union standard, but must last ‘substantially equivalent’ to it.  Otherwise, the objective of ensuring a high aeroplane of protection would non last met, together with the EU’s internal standards for domestic information protection could easily last circumvented. Also, the agency used inwards the tertiary State to ensure information protection rights must last ‘effective…in practice’, although they ‘may differ’ from that inwards the EU. Furthermore, the assessment of adequacy must last dynamic, amongst regular automatic reviews together with an obligation for a farther review if prove suggests that in that location are ‘doubts’ on this score; together with the full general changes inwards circumstances since the conclusion was adopted must last taken into account.

The Court together with so establishes that inwards lite of the importance of privacy together with information protection, together with the large number of persons whose rights volition last affected if information is transferred to a tertiary province amongst an inadequate aeroplane of information protection, the Commission has reduced discretion, together with is land of written report to ‘strict’ standards of judicial review. Applying this test, 2 provisions of the ‘Safe Harbour’ conclusion were invalid.

First of all, the basic conclusion declaring adequate information protection inwards the USA (in the context of Safe Harbour) was invalid. While such a conclusion could, inwards principle, last based on self-certification, this had to last accompanied past times ‘effective detection together with supervision mechanisms’ ensuring that infringements of fundamental rights had to last ‘identified together with punished inwards practice’. Self-certification nether the Safe Harbour rules did non apply to U.S.A. populace authorities; in that location was non a sufficient finding that the U.S.A. police delineate or commitments met European Union standards; together with the rules could last overridden past times national safety requirements laid out inwards U.S.A. law.

Data protection rules apply regardless of whether the information is sensitive, or whether in that location were adverse consequences for the persons concerned. The Decision had no finding concerning human rights protections as regards the national safety exceptions nether U.S.A. police delineate (although the CJEU acknowledged that such rules pursued a legitimate objective), or effective legal protection inwards that context. This was confirmed past times the Commission’s review of the Safe Harbour decision, which found (a) that U.S.A. government could access personal information transferred from the EU, together with and so procedure it for purposes incompatible amongst the master copy transfer ‘beyond what was strictly necessary together with proportionate for the purposes of national security’, together with (b) that in that location was no administrative or judicial agency to ensure access to the information together with its rectification or erasure.

Within the EU, interference amongst privacy together with information protection rights requires ‘clear together with precise rules’ which laid out minimum safeguards, as good as strict application of derogations together with limitations.  Those principles were breached where, ‘on a generalised basis’, legislation authorises ‘storage of all the personal information of all the persons whose information has been transferred’ to the U.S.A. ‘without whatsoever differentiation, limitation or exception existence made inwards lite of the objective pursued’ together with without whatsoever objective seek limiting access of the populace government for specific purposes. General access to the content of communications compromises the ‘essence’ of the right to privacy. On these points, the Court expressly reiterated the limits on majority surveillance laid out inwards in conclusion year’s Digital Rights judgment (discussed here) on the validity of the EU’s information retentiveness Directive. Furthermore, the absence of legal remedies inwards this regard compromises the essence of the right to judicial protection laid out inwards the European Union Charter. But the Commission made no findings to this effect.

Secondly, the restriction upon DPAs taking activeness to foreclose information transfers inwards the lawsuit of an inadequate aeroplane of information protection inwards the USA (in the context of Safe Harbour) was also invalid. The Commission did non stimulate got the ability nether the information protection Directive (read inwards lite of the Charter) to throttle DPA competence inwards that way. Since these 2 provisions were inseparable from the residual of the Safe Harbour decision, the entire Decision is invalid. The Court did non bound the effect of its ruling.

Comments

The Court’s judgment comes to the same conclusion as the Advocate-General’s opinion, but amongst subtle differences that I’ll examine as nosotros larn along. On the outset issue, the Court’s finding that DPAs must last able to halt information flows if in that location is a breach of European Union information protection laws inwards a tertiary country, despite an adequacy Decision past times the Commission, is clearly the right result. Otherwise it would last likewise tardily for the standards inwards the Directive to last undercut past times agency of transfers to tertiary countries, which the Commission or national government mightiness last willing to pick out as a trade-off for a merchandise understanding or another quid pro quo with the province concerned.

As for the Court’s give-and-take of the architecture of the information protection rules, the thought of the information protection government having to larn to a national courtroom if they handle amongst the complainant that the Commission’s adequacy conclusion is legally suspect is rather convoluted, since it’s non clear who the parties would be: it’s awkward that the Commission itself would in all probability non last a party.  It’s unfortunate that the Court did non consider the alternative road of the national DPA calling on the Commission to amend its decision, together with bringing a ‘failure to act’ proceeding straight inwards the European Union courts if it did non produce so. In the medium term, it would last amend for the hereafter so-called ‘one-stop shop’ arrangement nether the novel information protection Regulation (see give-and-take here) to address this issue, together with provide for a centralised procedure of challenging the Commission directly.

It’s interesting that the CJEU finds that in that location tin last a national conclusion on adequacy of information flows to tertiary States, since there’s no limited reference to this possibility inwards the Directive. If such a conclusion is adopted, or if Member States apply the diverse mandatory together with optional exceptions from the full general external information protection rules laid out inwards Article 26 of the information protection Directive, much of the Court’s Schrems ruling would apply inwards the same way past times analogy. In particular, national DPAs must sure as shooting stimulate got the jurisdiction to examine complaints almost the validity of such decisions too. But European Union police delineate does non prohibit the DPAs from finding the national decisions invalid; the interesting inquiry is whether it obliges national police delineate to confer such ability upon the DPAs. Arguably it does, to ensure the effectiveness of the European Union rules. Any decisions on these issues could soundless last appealed to the national courts, which would stimulate got the selection (though non the obligation, except for in conclusion courts) to inquire the CJEU to translate the European Union rules.

As for the validity of the Safe Harbour Decision, the Court’s interpretation of the important of ‘adequate’ protection inwards tertiary States should in all probability last sung out loud, to the melody of ‘We are the World’. The global achieve of the EU’s full general information protection rules was already strengthened past times in conclusion year’s Google Spain judgment (discussed here); at nowadays the Court declares that fifty-fifty the carve upwards regime for external transfers is really similar to the domestic regime anyway. There must last almost identical degrees of protection, although the Court does hint that little differences are permissible: accepting the thought of self-certification, together with avoiding the number of whether tertiary States demand an independent DPA (the Advocate-General had argued that they did).

It’s a long way from the judgment inwards Lindqvist over a decade ago, when the Court anxiously insisted that the external regime should non last turned into a re-create of the internal rules; at nowadays it’s insistent that in that location should last as piddling a gap as possible betwixt them. With respect, the Court’s interpretation is non convincing, since the word ‘adequate’ suggests something less than ‘essentially equivalent’, together with the European Union Charter does non bind tertiary States.

But having said that, the American rules on majority surveillance would violate fifty-fifty a far to a greater extent than generous interpretation of the important of the word ‘adequate’. It’s striking that (unlike the Advocate-General), the Court does non engage inwards a detailed interpretation of the grounds for limiting Charter rights, but rather states that full general majority surveillance of the content of communications affects the ‘essence’ of the right to privacy. That is plenty to reveal an unjustifiable violation of the Charter.

So where does the judgment larn out us inwards practice? Since the Court refers ofttimes to the main police delineate rules inwards the Charter, there’s no existent endangerment to escape what it says past times signing novel treaties (even the planned TTIP or TiSA), past times adopting novel decisions, or past times amending the information protection Directive. In particular, the Safe Harbour conclusion is invalid, together with the Commission could alone supersede it amongst a conclusion that meets the standards laid out inwards this judgment. While the Court refers at around points to the inadequacy or non-existence of the Commission’s findings inwards the Decision, it’s difficult to believe that a novel Decision which purports to claim that the American arrangement at nowadays meets the Court’s standards would last valid if the Commission were non telling the truth (or if circumstances later changed).

What standards does the U.S.A. stimulate got to meet? The Court reiterates fifty-fifty to a greater extent than clearly that majority surveillance is inherently a problem, regardless of the safeguards inwards identify to bound its abuse. Indeed, as noted already, the Court ruled that majority surveillance of the content of communications breaches the essence of the right to privacy together with so cannot last justified at all. (Surveillance of content which is targeted on suspected criminal activities or safety threats is clearly justifiable, however). In addition to a ban on majority surveillance, in that location must also last detailed safeguards inwards place. The U.S.A. mightiness presently last reluctantly willing to address the latter, but it volition last fifty-fifty to a greater extent than unwilling to address the former.

Are in that location other routes which could guarantee that external transfers to the USA pick out place, at to the lowest degree until the U.S.A. police delineate is changed? In principle, yes, since (as noted above) in that location are derogations from the full general dominion that transfers tin alone pick out identify to countries amongst an ‘adequate’ aeroplane of information protection. H5N1 outset laid of derogations is mandatory (though Member States tin stimulate got exceptions inwards ‘domestic police delineate governing exceptional cases’): where the information land of written report gives ‘consent unambiguously’; where the transfer is necessary to perform a contract amongst (or inwards the involvement of) the information subject, or for pre-contractual relations; where it’s ‘necessary or legally required on of import populace involvement grounds’, or related to legal claims; where it’s ‘necessary to protect the vital interests of the information subject’; or where it’s made from a populace register. H5N1 2nd derogation is optional: a Member State may authorise transfers where the controller offers sufficient safeguards, perhaps inwards the cast of contractual clauses. The utilisation of the latter derogation tin last controlled past times the Commission.

It’s difficult to reckon how the 2nd derogation tin last relevant, inwards lite of the Court’s concerns almost the sufficiency of safeguards nether the electrical current law. U.S.A. access to the information is non necessary inwards relation to a contract, to protect the information subject, or related to legal claims.  An imaginative lawyer mightiness debate that a search engine (though non a social network) is a modern cast of populace register; but the tape of an individual’s use of a search engine is not.

This leaves us amongst consent together with populace involvement grounds. Undoubtedly (as the CJEU accepted) national safety interests are legitimate, but inwards the context of defining adequacy, they produce non justify majority surveillance or insufficient safeguards. Would the Court’s ruling inwards Schrems soundless apply fully to the derogation regarding inadequate protection? Or would it apply inwards a modified way, or non at all?

As for consent, the CJEU ruled in conclusion yr inwards a really different context (credibility assessment inwards LGBT asylum claims) that the rights to privacy together with dignity could non last waived inwards sure situations (see give-and-take here). Is that also truthful to around extent inwards the context of information protection? And what does unambiguous consent hateful exactly? Most people believe they are consenting alone to (selected) people seeing what they postal service on Facebook, together with are dimly aware that Facebook mightiness produce something amongst their information to earn money. They may last to a greater extent than aware of majority surveillance since the Snowden revelations; around don’t care, but around (like Max Schrems) would similar to utilisation Facebook without such surveillance. Would people stimulate got to consent separately to majority surveillance? In that case, would Facebook stimulate got to last accessible for those who did non desire to sign that carve upwards form? Or could a ‘spy on me’ clause last added at the terminate of a long (and unread) consent form?  Consent is a crucial number also inwards the context of the purely domestic European Union information protection rules.

The Court’s ruling has addressed around of import points, but leaves an enormous number of issues open. It’s clear that it volition pick out a long fourth dimension to clear upwards the mess left from this exceptional poorly supervised party.  

Barnard together with Peers: chapter 9

Photo credit: www.businessinsider.com

Share this post