Advocate General Bot today delivered his opinion to the Court of Justice of the European Union (“CJEU”) in the landmark case of Schrems v Data Protection Commissioner. This is a hugely significant case which will impact on thousands of multinational companies, many of whom operate in Ireland, who rely on the Safe Harbour scheme to legitimise transfers of personal data to the US.
As discussed in our Crossfire blog post from June 2014, this case involves a preliminary reference from the Irish High Court to the CJEU regarding the ability of the Irish Data Protection Commissioner (“DPC”) to block transfers of data to the US in light of Edward Snowden’s revelations concerning the National Security Agency’s PRISM program and the mass surveillance of data in the US. Mr Schrems had argued that transfers of personal data from Facebook Ireland to Facebook Inc. in the US should be blocked in light of these revelations. The DPC refused to investigate this complaint on the basis that he was bound by a decision of the European Commission that the Safe Harbour scheme ensured adequate protection of personal data and legitimised transfers to companies signed up to the scheme.
The Advocate General expressed the opinion that, because of the importance of national authorities in the protection of individuals, a Commission decision such as that approving the Safe Harbour scheme does not deprive Member States’ data protection regulators of their powers of intervention. A regulator can still block a transfer in such a case where they are satisfied that the fundamental rights of individuals will not be protected.
Furthermore, the Advocate General went on to consider the validity of the Commission decision approving the Safe Harbour scheme. In his opinion, the decision has been rendered invalid because of the mass, indiscriminate surveillance in the US which constitutes a disproportionate interference with rights guaranteed by the Charter of Fundamental Rights, beyond what is strictly necessary in the interests of national security. Moreover, the inability of EU citizens to challenge this surveillance and the lack of sufficient supervision and safeguards denies citizens an effective remedy, as required by the Charter. These deficiencies mean the Commission was not entitled to find that the Safe Harbour scheme ensured an adequate protection of personal data.
Although not binding on the CJEU, the opinion of the Advocate General is an important step in the process and such opinions are followed in the majority of cases. Should the CJEU follow this opinion it will have a major impact on many multinationals transferring data to the US. Negotiations are currently underway between the Commission and the US Department of Commerce to revise the Safe Harbour scheme.
However, pending agreement there are alternative ways of legitimising a transfer of personal data to the US. Many multinationals have already put in place standard contractual clauses. These are model clauses designed to ensure an adequate level of protection for personal data transferred outside the EEA. Model clauses are Commission approved and do not need to be submitted to the DPC for approval. However, in light of the Advocate General’s opinion that national regulators are permitted to look behind a Commission decision regarding adequacy, this position may also be in doubt. Alternatively, multinationals may opt for Binding Corporate Rules (“BCRs”), which are legally enforceable rules for intra-group transfers. BCRs must be submitted to the DPC for approval before a transfer can take place and this process can take approximately six months to a year to complete.
The CJEU is expected to deliver its judgment in the next two to four months.