Data Protection Report - Norton Rose Fulbright

The European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015.  In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing negotiations to update the Safe Harbor framework, and raise questions about the interpretation of the proposed General Data Protection Regulation, which is currently being finalized in trialogue negotiations among the EU’s Council, Parliament and Commission.  If the ECJ chooses not to take the bait – whether on substantive or procedural ground — and to preserve the Safe Harbor status quo, that decision may actually strengthen the Safe Harbor by intimating that the ECJ believes the Safe Harbor to be valid in its current form, and significantly weaken the position of certain DPAs and other European regulators and legislators who have been assailing the framework over the years.  

Setting aside the practicalities of the decision and its politics, however, there appear to be strong legal grounds for the ECJ not to follow the Advocate General’s recommendation to declare the Safe Harbor invalid.  Most importantly, the Advocate General’s recommendation went far beyond the questions the Irish High Court referred to the ECJ, and his grounds for recommending that the Safe Harbor be declared invalid are legally suspect.

As discussed in our blog post last week, the questions from the Irish High Court on which the European Court of Justice was asked to rule were relatively narrow. The High Court asked whether the Irish Data Protection Commissioner (DPC) is bound by the Commission’s Decision 2000/520/EC of 26 July 2000 (“Commission Decision”) finding that the United States’ protections of personal data under conditions set out in US/EU Safe Harbor regime are adequate for purposes of the EU Data Protection Directive (Directive 95/46EC), or whether the DPC could – or is even required to – conduct its own investigation of the matter in the light of factual developments that have occurred after the Commission Decision was published.

The High Court’s questions were highly technical, involving an analysis of the legislators’ intentions in allocating powers to regulate the export of personal data from the EU to third countries. The DPC had initially rejected Maximilian Schrem’s complaint regarding Facebook’s export of his personal data to the United States on the ground that the Commission’s Decision precluded the DPC from examining the adequacy of protection of those data in the United States under the Safe Harbor. Despite rather emotional language about the importance of the DPC’s independence, the Advocate General acknowledged that the DPC is bound by the Commission Decision (para. 83). The Advocate General nonetheless took the view that the Commission Decision should not be interpreted to preclude an investigation by the DPC in light of the wording of the Directive and other EU law principles (paras 85 et seq.).

Although the DPC’s position is clearly preferable from the perspective of international trade and a uniform interpretation of the Directive, this is an issue on which reasonable people could differ. Indeed, EU Member States have taken different approaches to the powers of national data protection authorities in implementing the Directive in this area. For example, addressing the opposite side of the issue, some Member States, such as the UK, allow data controllers to make a “self-assessment” of the adequacy of a transfer to a third country where there is no available legitimizing exemption or Commission decision available.

The Advocate General could, and arguably should, have ended his opinion with this conclusion, advising the ECJ to inform the Irish High Court that EU law does not preclude the DPC from examining Mr. Schrem’s complaint, allowing the issue to be further addressed in the Irish proceedings. Instead, the Advocate General went much further, noting that “on a number of occasions, the Court has of its own motion declared invalid an act which it was asked only to interpret” (para. 126). The cases the Advocate General cites for this proposition date from 2005, 1979 and 1976 and concerned very different circumstances.

Having taken the highly unusual step of considering whether the Commission Decision is invalid even though the Irish High Court had not asked this question, the Advocate General launched himself down a very slippery legal slope.

The Advocate General makes an uncontroversial observation that the Commission Decision, having been adopted about 15 years ago, needs to be reviewed in light of changed circumstances (para. 136 et seq.). It is at this point that the opinion veers into uncharted legal waters, making a number of dubious and arguably inconsistent assertions.

First, the Advocate General asserts that the 2013 Snowden revelations required a reassessment of the factual determination underlying the Commission Decision. But the European Commission did precisely that when it issued the 13 recommendations for improvement for the Safe Harbor (set out in its Communication of 27 November 2013) and launched a review of the Commission Decision that is now nearing completion. The Advocate General asserts that, instead of allowing the Commission Decision to remain in force during this review, the Commission should have suspended the Commission Decision (para. 217). That was indeed an option available to the Commission, but the question whether the Commission was under a legal obligation to suspend the Commission Decision is a complex issue of law and fact that was not before the ECJ in Schrems and had not been researched and briefed by the parties.

In spite of his assertion that the Commission should have suspended the Commission Decision in 2013, the Advocate General proceeded to recommend going beyond suspension to simply declare the Safe Harbor invalid (e.g., para 237).  Again, this proposition was not briefed by any of the parties and the Advocate General offers no analysis of why the Safe Harbor should now be invalidated rather than, for example, suspended.

The Advocate General’s opinion describes in emotional terms the implications of the US PRISM program, which in his view is inconsistent with a finding that US Safe Harbor-certified entities offer adequate protection of EU citizens’ personal data. However, he does not discuss the PRISM program or US privacy protection in detail or cite a single US statute. Nor does he discuss – or even acknowledge – the significant changes in US law since 2013.  None of these issues were, apparently, thoroughly briefed in the Irish proceedings or before the ECJ.  

The Advocate General also failed to consider the significance of European domestic surveillance or laws governing the government’s access to data, such as Germany’s G10, or surveillance programs in other non-EU countries as to which the Commission has made equivalence findings.  The Advocate General also failed to discuss the implications of his reasoning to other approaches to data exports, such as the model clauses.

Under these circumstances, the ECJ would seem to have ample grounds to depart from the opinion of its Advocate General, or follow the Advocate General’s opinion only to the extent the opinion addressed the specific questions asked by the Irish High Court. In particular, the ECJ could agree with the Advocate-General that the Directive does not preclude the DPC from examining Mr. Schrem’s complaint, but not declare the Safe Harbor invalid.  In that case, the Irish proceedings could go on for years to come. Those proceedings would no doubt be highly contentious, but at least the issues could be appropriately briefed and resolved.

As noted, the ECJ’s opinion in this case is expected on October 6, 2015. We will address the decision on our blog soon after the opinion is issued.