THE JURISDICTIONAL ISSUE
The Irish High Court referred the question to the Court of Justice of the European Union (“CJEU”) of whether the European Commission’s Decision 2000/520 (the “Safe Harbor Decision”) that the Safe Harbor Agreement ensures an adequate level of protection for EU citizens’ data transferred to the US precluded the Irish Data Protection Commissioner from investigating Mr. Schrems’ complaint. To this end, the CJEU sought to resolve the seeming conflict between powers that Directive 95/46 (“the EU Data Protection Directive”) grants the European Commission and the independent data protection authorities that it requires member states to establish. Article 25(6) of the Directive empowers the Commission to decide that a third country ensures an adequate level of protection for EU citizens’ data transferred to that country. Although such Commission decisions are binding on member states, Article 28 empowers member states’ data protection authorities to investigate citizens’ complaints about the processing of their data. Under the Data Protection Directive, the transfer of personal data from a member state to a third country counts as processing of the data within the member state. Accordingly, the CJEU reasoned that “the national supervisory authorities … responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data … [are] vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down by Directive 95/46.” Para. 47.
To assess the impact of the Safe Harbor Decision, the CJEU interpreted the Data Protection Directive in the light of the provisions in Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union for respect for private life, the protection of personal data, and the right to an effective remedy. Thus read, a Commission decision, under Article 25(6) of the Directive, that a third country provides an adequate level of protection cannot prevent member states’ authorities from applying their Article 28 powers to investigate complaints about protections afforded to people’s data transferred to the third country. The CJEU held, however, that jurisdiction to invalidate a Commission decision under Article 25(6) of the Directive or any other EU act belonged to it alone. Hence, the Irish Data Protection Commissioner and Irish courts’ power to investigate and provide legal redress for Mr. Schrems’ complaint stopped at referring the question of the validity of the Safe Harbor Decision to the CJEU.
THE INVALIDITY OF THE SAFE HARBOR DECISION
The CJEU went on to invalidate the Safe Harbor Decision on the ground that a determination, under Article 25(6) of the Charter, that a third country adequately protects transferred EU citizens’ data must consider the country’s laws as they are in fact applied. Instead of considering the US legal regime, the Decision only assessed the protection afforded to EU citizens’ data by companies that voluntarily self-certified to the safe harbor principles.
In addition, the CJEU found that the Commission’s approval of the safe harbor principles flew in the face of its findings that companies’ adherence to the principles could be limited “to the extent necessary to meet [United States] national security, public interest, or law enforcement requirements” and that US law would prevail in the event of any conflict with the safe harbor principles. Para. 84. By holding these limits on applicability compatible with an adequate level of protection, the Decision “enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States.” Para. 87.
Further, the CJEU faulted the Safe Harbor Decision for not including any findings about the limits that US law places on government interference for legitimate purposes, such as national security, with the fundamental rights of EU citizens whose data is transferred to the US. As the Commission itself recognized in Communications issued in the wake of the Snowden revelations, US law contravenes the principles of necessity and proportionality in EU law. “Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.” Para. 93.
Similarly, although the Safe Harbor Decision failed to include any findings about the legal redress afforded to EU citizens for undue interference with their data, the absence of legal redress for EU citizens is a major problem with the US legal regime. “Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.” Para. 95.
In addition to the substantive problems with US law, the CJEU invalidated the Safe Harbor Decision on the ground that it denied that in its wake, national data protection authorities would still have the power, under Article 28 of the Directive, to investigate EU citizens’ complaints about the processing of their data in the US.