How a study exchange triggered a CJEU landmark decision
Two years ago, an Austrian law student Max Scherms filed a complaint with the Irish DPA claiming that there was no effective data protection regime in the US. Earlier this month, the CJEU issued a preliminary ruling in the case.
A law student who made Vice President of Facebook fly to Vienna to discuss privacy
While studying law at the University of Vienna, Max Scherms spent a semester at Santa Clara University in Silicon Valley. The decision to study abroad changed his life.
In one of the classes he followed, Ed Palmieri, Facebook’s privacy lawyer, was the guest lecturer. Scherms, used to restrictiveness of the EU privacy regulation, was surprised by Palmieri’s limited grasp of the severity of data protection laws in Europe. He decided that his thesis would focus on Facebook’s misunderstanding of privacy laws in Europe. To research the subject Scherms requested the access to all the data that Facebook collected about him. He eventually received a file with over 1200 pages. After having examined it carefully he realised that Facebook’s processing of personal information fell short of the European standards. Not only did Facebook send him the file - a few months later when Scherms took his first formal steps by filing complaints with the European authorities, he also received a high-level visit from Facebook’s policy Vice President Richard Allen.
Scherms v. Data Protection Commissioner
In 2013 Scherms filed a complaint with the Irish data protection authority (DPA) claiming that the transfers of user data from Facebook’s affiliate in Ireland to the headquarters in the US were unlawful. More precisely, he challenged the Commission’ Decision 2000/520/EC (commonly known as Safe Harbour), which was widely used as the legal basis for data transfers. Scherms claimed that the Safe Harbour decision that found the US data protection regime adequate should be annulled, since it was clear, based on the revelations by Snowden, that the data transferred to the US was subject to NSA massive surveillance.
The Irish DPA rejected the complaint, mostly on formal grounds, but when Scherms appealed to the Irish court, the latter expressed sympathy for the appellant’s claims. The high court made no final decision, but referred the case to the Court of Justice of the EU (CJEU).
The CJEU agreed to hear the case and the final decision about the Safe Harbour invalidity on October 6 has shaken up the world of privacy activists, EU law enthusiasts and academics. The ruling was in fact somehow to be expected, given the AG’s clear statement against the Safe Harbour and the restrictive tone of the CJEU in recent judgements related to personal data processing (Google Spain v Costeja, Digital Rights Ireland ).
The judgement in case C‑362/14 has two core parts. First, the Court addresses the question whether a DPA can assess the validity of a Commission’s Decision on adequate safeguards. Similarly to what was proposed in the AG’s opinion, the Court confirmed that the DPAs should be granted the power to examine and challenge such decisions with all due diligence to adequately protect the rights of an individual.
In the second part of the ruling, the Court went beyond the Irish court’s request and assessed the validity of the Commission’s Decision itself. The Court acknowledged that reasons of national security, public interest, or law enforcement requirements may have primacy over the Safe Harbour principles under the condition that the interference with fundamental rights does not go beyond what is necessary and proportional. However, the Court emphasised that ‘… legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications /… / not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, must be regarded as compromising the essence of the fundamental right to respect for private life.’
What are the next steps?
The CJEU decision is striking, because it makes the transfer of data across the Atlantic much harder or even impossible. With more than 4,500 US companies self-certified to adhere to Safe Harbour, this is a serious concern. Since transfers under the Safe Harbour decision are no longer permitted, all the alternative tolls to manage data transfer are inadequate for the same reason. Some argue that a user’s consent and public interest could legitimate the transfers but even these aspects are problematic. According to EU law, consent must be given unambiguously. This means that every European citizen should be clearly informed about the gravity of the NSA activity before his data is processed. Given the uncertainties regarding state surveillance and its actual scope, it is unlikely that such information can be provided. Moreover, even though people would consent to such scrutiny of their data, it is can be argued that tolerating a direct breach of the right to data protection is not conceptually possible.
A German DPA in Schleswig-Holstein (Germany has a DPA in each of its federal states) recently announced that all alternatives to Safe Harbour are invalid. In other words, the German DPA is imposing a data localisation requirement to data transfers from Germany to the US. To emphasise the seriousness of their intentions, the DPA warned that breaches would be punished with a fine of up to 300,000 EUR.
The Article 29 Working Party, the European advisory body composed of the national DPAs’ representatives, convened soon after the judgement was issued. In contrast to Schleswig-Holstein’s DPA, it took a more lenient approach by considering that contractual clauses or binding corporate rules as alternatives to Safe Harbour should be temporarily tolerated. If by the end of January 2016, however, no appropriate solution has been found with the US authorities and depending on the assessment of the transfer tools by the Working Party, the EU DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
Dura lex, sed lex
While the CJEU judgement is a great victory for EU data protection law, the news about suspending the transfers to the US is a harsh reality for global businesses. Dura lex, sed lex one would comment. The decision is painful, but necessary. The Court has restated once again that the EU is sticking firmly to its privacy principles.
However, commentaries from two of the most renowned privacy professors reveal the other side of Scherms’ success at the CJEU. Professors Peers and Kuner have observed that the CJEU has let the EU data protection go beyond the limits set in the Lindquist case. Both, the Scherms’ case and Google v. Spain implicitly advocate a global scope of EU law. Kuner has also pointed out that the CJEU approach is too theoretical and that the Court lacks interest in data protection law in practice.
The Safe Harbour decision will probably cause some administrative problems to the big Silicon Valley companies, but it is the smaller businesses such as European SMEs that will really feel the effects. In addition, the decision might impact scientific research, since research institutions are dependant on the regular exchange of vast amounts of data between the continents. For Europe, which is striving for a more successful data-driven economy, imposing de facto localisation rules could be detrimental.