Facts of the case
Mr. Schrems lodged a complaint asking the Irish Data Protection Commissioner to prohibit Facebook Ireland from transferring his personal data to the United States. He submitted that the country did not ensure an adequate level of protection of personal data because of the surveillance activities conducted by the public authorities. The Commissioner considered that he was not required to investigate the complaint because of the lack of evidence and because the adequacy of data protection is determined by Decision 2000/520. Mr. Schrems challenged the Commissioner’s decision before the Irish High Court which decided to ask the Court of Justice whether the Commissioner is bound by Community findings on the adequacy of protection in a third country or whether he can examine the claim of a person which contends that the level of protection is inadequate.
Main findings of the court
Powers of national supervisory authorities
- The Court recalled that Article 28 of the directive, Article 8(3) of the Charter and Article 16(2) TFEU require the Member States to establish “one or more public authorities responsible for monitoring, with complete independence, compliance with EU rules on the protection of individuals with regard to the processing of such data” (para. 40).
- The Court further noted that the national supervisory authorities’ powers do not extend to personal data processed outside of their Member State but it specified that the transfer of personal data from a Member State to a third country constitutes ‘processing of personal data’ (paras. 44-45).
- Accordingly, the Court held that each national supervisory authority has “the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down by Directive 95/46” (para. 47).
- The Court restated that Article 25 of the Directive makes clear that the finding that a third country ensures or not an adequate level of protection may be made by the Member States or by the Commission (para 50).
- Under Article 25(6) of the Directive, the Commission may adopt a decision stating that a third country ensures an adequate level of protection. This decision is binding on the Member States and all their organs (para. 51).
- For this reason, the Member States and their organs, including the national supervisory authorities, cannot adopt measures contrary to this decision until the decision is declared invalid by the Court (para 52).
- However, the Court stressed that such decision does not eliminate the powers of the national supervisory authorities with regard to the transfer of personal data to a third country subject of that decision (para. 54)
- It follows that the national supervisory authorities must be able to examine, with complete independence, whether the transfer of data complained of complies with the directive even if the Commission has adopted an adequacy decision (para. 57).
- The Court explained that a claim by an individual that the law and practices of a third country do not ensure an adequate level of protection, despite a Commission decision to the contrary, questions “whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals” (para. 59).
- The Court recalled that it alone has the jurisdiction to review the compatibility of Union institutions acts, including Commission decisions (paras. 60-61).
- In a situation where the national supervisory authority comes to the conclusion that the arguments put forward in support of such a claim are unfounded and therefore rejects it, the person who lodged the claim must have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts. Those courts must stay proceedings and make a reference to the Court for a preliminary ruling on validity where they consider that one or more grounds for invalidity put forward by the parties or, as the case may be, raised by them of their own motion are well founded (para. 64).
- Where the national supervisory authority considers that the objections advanced by the person who has lodged a claim are well founded, it must be able to engage in legal proceedings, pursuant to the third indent of the first paragraph of Article 28 (3) of the Directive. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity (para. 65).
Conclusion: “(…) Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection” (para. 66).
Validity of the Safe Harbour Decision
- In the view of the Court, the adequacy decision does not contain sufficient findings regarding the measure by which the United States ensures an adequate level of protection.According to Article 25(6) of Directive 95/46, the European Commission should consider the third country’s level of protection as essentially equivalent to the one guaranteed in the EU legal order in order to issue an adequacy decision and should moreover give duly reasoned justification for this.
- Even though the directive 95/46 does not contain a specific definition of the notion of “adequate level of protection” it does refer to the need of conducting an assessment “in the light of all circumstances surrounding a data transfer operation”. With this regard, the Court clarifies that the term “adequate”, if it does not stand for an identical level of protection to be ensured, at least refers to an equivalent level of protection to the one ensured by the European Union by virtue of the Directive 95/46 read in the light of the Charter. In the view of the Grand Chambre, even though the recipient country has adopted means to ensure adequacy which may be different from the ones used within the EU legal order, the same means must be practically ensuring an adequate, and then, equivalent level of protection as the EU does (par. 70-73).
- In this light, the European Commission is obliged to assess the content of all applicable rules resulting from domestic law or international commitments which are relevant for data transfer (par. 75).
- The Court clarifies that the European Commission is additionally in charge of periodically conducting checks on whether the finding may be still retained as factually and legally justified (par. 76).
- Notwithstanding the Court argues that there is no need for analysing the content of the SH principles, the Court takes the view that the reliability of a self – certification system essentially depends on the existence of an effective mechanism of both detection and supervision which would allow for any infringement to be detected and punished, this meeting the criterion of “adequacy”. (par. 81)
- Firstly, SH principles are only applicable to self – certified US organizations receiving personal data from the European Union, not being binding for US public authorities as a consequence (par 82). Secondly, the adequacy assessed in the decision only refers to the provisions as implemented in accordance with the FAQs issued by the US Department of Commerce, without ever including findings related to the measure taken by the US to ensure the adequate and therefore equivalent level of the protection from a broader point of view (par. 83).
- Moreover, Annex I and IV, together combined, allow for interference in private life as long as reasons of national security and public interest require to do so: in this case, the lack of compliance with the SH principles will be justified on the grounds of the overriding legitimate interests established by US law, which must prevail on the same Safe Harbour principles, as to limit the mentioned interference with the fundamental rights or to any effective legal protection against interference of this kind (par. 85-87).
- Interference with private life is to be accompanied with a set of minimum safeguards, as established in the EU Charter. On the contrary, EC adequacy decision does not make any detailed reference to the safeguards which are taken by the US to ensure adequacy (par.91). Legislation which allows public authorities to access on a generalised basis the content of electronic communications must be considered as compromising the essence of the fundamental right to respect for private life as guaranteed by article 7 of the Charter.
- Similarly, legislation not granting effective legal remedies to access one’s own personal data, to have data either rectified or erased, compromises the essence of fundamental right to effective judicial protection as guaranteed in article 47 of the Charter.
Conclusion: Article 1 of the Decision 2000/520 is declared invalid since it does not comply with article 25(6), requiring for the third recipient country to ensure an adequate level of protection by reasons of its domestic law or international commitments.
Excess of power from the Commission
- According to the Court, Article 28 of the directive, to be read in the light of Article 8 of the Charter, enables national supervisory authorities to examine, both with independence and due diligence, claims arising from individuals which may also raise questions on the compatibility of a EC adequacy findings with protection of fundamental rights law (par. 99).
- Article 3(1) of the adequacy decision makes the suspension of data flow to an organization having self – certified its adherence to the principles, possible only under restrictive conditions establishing a high threshold for intervention. In this sense, Article 3(1) must be read as hindering national supervisory authority from exercising the whole range of powers they are entitled to from article 28 of the directive 94/46 (par. 102) .
Conclusion: Article 3 of the Decision 2000/520 is declared as invalid for having the Commission exceeded the power conferred in Article 25(6) of the directive 95/46, depriving DPA from the power of diligently handling complaints in cases where compatibility of the EC adequacy decision is at issue.
“As Articles 1 and 3 of the Decision 2005/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety. (…) It is to be concluded that Decision 2000/520 is invalid (paras. 105-106)”.