The High Court, in Schrems v Data Protection Commissioner, 18 June 2014, has referred questions arising to the Court of Justice of the European Union (the CJEU). Judge Hogan has adjourned the High Court proceedings pending the reference to the CJEU.
The Judge is asking the CJEU to examine two questions:
(1) Whether, as a matter of EU law, the Data Protection Commissioner (the DPC) is absolutely bound by the finding of the European Commission as manifested in Decision 2000/250/EC (i.e. that the Safe Harbour regime provides adequate protection for personal data), having regard to the subsequent entry into force of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (which provide, respectively, for the right to respect for private and family life, and to protection of personal data) notwithstanding the provisions of Article 25(6) of the Data Protection Directive?
(2) Or alternatively, whether the DPC may conduct his own investigation of the matter in light of the factual developments since that Commission Decision was first published (i.e. the Snowden revelations that data and communications were being intercepted by the NSA on a global scale).
The case is due to be mentioned in the High Court in two weeks before the matter is sent to the CJEU.
Background
The High Court proceedings involved a judicial review application by Mr Schrems in regard to the refusal by the DPC to investigate his complaint on the grounds that it was "frivolous and vexatious".
Mr Schrems had complained to the DPC that as the Snowden revelations demonstrate that there is no effective data protection regime in the United States, the DPC should exercise his statutory powers to direct that the transfer of personal data from Facebook Ireland to its parent company in the United States should cease. The DPC exercised his power not to investigate the complaint on the basis that Facebook had self-certified under the Safe Harbour regime, and as there was a Community finding that the Safe Harbour regime provided adequate data protection, there was nothing left for him to investigate.
In the High Court proceedings, Mr Schrems contended that the decision by the DPC was unlawful. The DPC, however, maintained that he is bound by the terms of the finding by the European Commission in July 2000 to the effect that the Safe Harbour regime, agreed between the EU and the US for the transfer of personal data from the EU to the US, provides an adequate level of protection for personal data.
Decision
Hogan J. concluded as follows:
(1) Whilst Mr Schrems’ complaints were not "frivolous or vexatious" in the ordinary sense of these words, these words bear a different connotation in the context of the Data Protection Acts 1988 & 2003 (the DPAs). Used in this context these words mean no more than that the DPC had concluded that the complaint was unsustainable in law.
(2) Mr Schrems enjoyed locus standi to bring this complaint and these proceedings. It was irrelevant that Mr Schrems could not show his own personal data was accessed by the NSA, since what mattered was the essential inviolability of the personal data itself.
(3) The evidence suggests that personal data of data subjects is routinely accessed on a mass and undifferentiated basis by the US security authorities.
(4) As far as Irish law is concerned, s. 11(1)(a) of the DPAs forbids the transfer of personal data to a third country unless it is clear that that jurisdiction sufficiently respects and protects the privacy and fundamental freedoms of the data subjects. In the context of national law, the standards are those contained in the Constitution.
(5) The chief constitutional protections relating to personal privacy and the inviolability of the dwelling in Article 40.5 of the Constitution would be compromised by the mass and undifferentiated surveillance by State authorities of conversations and communications which take place within the home. For such interception of communications to be constitutionally valid, it would be necessary to demonstrate that this interception and surveillance of individuals was objectively justified in the interests of the suppression of crime and national security, and further that any such interception was attended by appropriate and verifiable safeguards.
(6) If the matter were to be measured solely by Irish law and Irish constitutional standards, then a serious issue would arise which the DPC would then have been required to investigate as to whether US law and practice in relation to data privacy, interception and surveillance matched these constitutional standards.
(7) Irish law has been effectively pre-empted by EU law and specifically by the provisions of the Data Protection Directive and the 2000 Decision. The 2000 Decision found that the Safe Harbour regime sufficiently safeguarded the rights of European data subjects. Further, it is clear from Article 25(6) of the Data Protection Directive that national data protection authorities must comply with such findings.
(8) If the DPC cannot look beyond the Commission’s Safe Harbour Decision of July 2000, then the present application for judicial review must fail.
(9) Mr Schrems maintains that the DPC has not adhered to the requirements of EU law in holding that the complaint was unsustainable in law, but the opposite is in fact true. The DPC has demonstrated scrupulous steadfastness to the letter of the 1995 Directive and the 2000 Decision.
(10) Mr Schrems’ objection is, in reality, to the terms of the Safe Harbour Regime itself, rather than to the manner in which the DPC has actually applied the Safe Harbour Regime. However, neither the validity of the Data Protection Directive, nor the validity of the Commission’s Safe Harbour decision have been challenged in these proceedings.
(11) The critical issue is whether the proper interpretation of 1995 Directive and the 2000 Decision should be re-evaluated in the light of the subsequent entry into force of Article 8 of the Charter and whether, as a consequence, the Commissioner can look beyond or otherwise disregard this Community finding. For this reason the matter should be referred to the CJEU.
Reaction of the DPC
The DPC welcomes the judgment of Judge Hogan, and the High Court’s confirmation that, on the law as it presently stands, the DPC is obliged to respect the 2000 Commission Decision that the Safe Harbour regime complied with EU law.
A statement released by the DPC’s Office notes that: "The Commissioner acknowledges and accepts the Court’s view that, because the data privacy issues raised by the Snowden revelations are so serious, it is appropriate that the European Court of Justice should be asked to consider the critical issue of whether the proper interpretation of the 1995 Directive and the 2000 Commission decision should be re-evaluated in light of the subsequent entry into force of Article 8 of the Charter".