The European Court of Justice ruling on Tuesday concerned a referral from the Irish Court involving the Irish Data Protection Commissioner in Portarlington and the Austrian law graduate and privacy campaigner Max Schrems.
He is a Facebook user since 2008 and initiator of several legal complaints and court actions against the US social network.
In 2013 he filed a complaint with the Irish commissioner on foot of whistleblower Edward Snowden's claims that US intelligence operated a programme called "Prism", which allowed widespread access to data collected by US tech companies. This data, Snowden claims, included data gathered by Facebook, Google and others on EU citizens.
Mr Schrems asked the Irish commissioner to investigate the claims, arguing that such a broad data collection went beyond the 2000 Safe Harbour agreement between the European Commission and US Department of Commerce.
He claimed the alleged practices violated the EU’s data protection directive and several of his fundamental rights under the EU’s Charter of Fundamental Rights.
The Irish commissioner declined to investigate, saying that it was precluded from doing so and that a 2000 commission decision found adequate protections were in place under the “Safe Harbour” for data transferred from the EU to the US.
Mr Schrems took a judicial review against the Irish commissioner’s dismissal of his complaint as “frivolous and vexatious”. The High Court asked the European Court of Justice for clarity on whether the 2000 commission ruling precluded national data protection authorities from investigating complaints of inadequate levels of data protection.
In its judgment, the European Court of Justice said that pre-existing commission judgments “cannot eliminate or even reduce the powers available to the national supervisory authorities” under the Charter of Fundamental Rights of the European Union and the data protection directive.
Oversight of decisions
This directive – the rulebook for EU data collection – does not prevent oversight by national authorities of commission decisions, the court rules.
Though it alone has the power to decide whether a commission decision is valid, the European Court of Justice said national Irish commissioners must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements of the directive.
“It is incumbent upon the national supervisory authority to examine the claim with all due diligence,” the court said in its judgment.
Should a national commissioner find the complaint unfounded, the complainant must have access to judicial remedies before national courts.
If, on the other hand, a national Irish commissioner finds the complaint well-founded, “the authority must . . . be able to engage in legal proceedings” against the European Commission.
“It is incumbent upon the national legislature to provide for legal remedies”, the court said, for the national commissioner to take the case to the courts to challenge the validity of a commission decision.
Turning to the issue of the validity of Safe Harbour agreement itself, the European Court of Justice found that the commission had not examined its implementation in the US but only the agreement itself.
US public authorities, it noted, are not themselves subject to it. Where a conflict of interest arises, “[US] national security, public interest or law enforcement requirements have primacy over the safe harbour principles”.
This creates grounds for interference between US public bodies and fundamental rights of EU citizens – with no rules or provisions available to limit any such interference.
The Brussels administration claimed in 2000 that “adequate level of protection” existed for Safe Harbour but admitted in oral hearings last April that it had no means to prevent illegal access of data, or to demand that data collected illegally was rectified or erased.
Further, the commission had no administrative or judicial means of redress in cases where data were transferred beyond what was strictly necessary and proportionate.
The Safe Harbour protection principles, the court noted, “are applicable solely to self-certified United States organisations receiving personal data from the European Union, and United States public authorities are not obliged to comply with them”.
But permitting US public authorities “access on a generalised basis” to the content of electronic communications “must be regarded as compromising the essence of the fundamental right to respect for private life”, article seven of the charter.
Safe Harbour’s lack of opportunity for legal remedy, meanwhile, compromises the charter’s fundamental right to effective judicial protection.
Citing its ruling in a case taken by Digital Rights Ireland, the court said that “the need for such safeguards is all the greater where personal data is subjected to automatic processing and where there is a significant risk of unlawful access to that data”.
The court ruled that, in light of the charter, the commission had exceeded its powers in its 2000 ruling that Safe Harbour offered adequate protections, meaning Safe Harbour was thus invalid.
Its decision also requires the Irish commissioner to examine Mr Schrems’s original complaint against Facebook “with all due diligence” and to decide, after its investigation, whether there are grounds to suspend transfer of EU citizens’ Facebook data to the US.
The European Court of Justice left the issue of costs to the discretion of the High Court.