An inconvenient stand

In Case C-362/14 ?Schrems v Data Protection Commissioner (Grand Chamber, 6 October 2015), ?the Court of Justice of the European Union (CJEU) strongly asserted the importance of EU data protection principles.

Directive 95/46 establishes rules designed to protect individual privacy over personal data. Data moves easily over borders, and the EU cannot, ?of course, dictate how data is protected in third countries, but it can control the circumstances in which it is transferred there. To that end, article 25(1) of the directive requires member states to ensure that data is only transferred to a non-EU country if it ‘ensures an adequate level of protection’.

What exactly counts as an ‘adequate level’ of protection is not spelled out, but the directive provides for the European Commission to take decisions ?on a country-by-country basis. ?In relation to the US, the Commission found in Decision 2000/520/EC that personal data would be adequately protected provided companies agreed to follow the ‘safe harbour privacy principles’, promulgated as voluntary principles by the ?US Department of Commerce.

Safe harbour principles

Mr Schrems was an Austrian Facebook subscriber. Following the revelations about US government surveillance resulting from Edward Snowden’s leaks, Schrems tried to complain to the responsible authority in Ireland, where Facebook has its European headquarters, that the operation of the ‘safe harbour principles’ had not provided an ‘adequate level of protection’ when data was moved by the company from its Irish servers to the US. The Irish authorities took the view that their hands were tied by the Commission decision.

On a reference to the ?CJEU, the court disagreed. ?Two principles clashed. ?On the one hand, authorities ?in member states are bound ?by the Commission’s decisions. ?On the other hand, individuals must have effective recourse ?to judicial protection.

The answer, in the court’s view, lay in what is, in EU ?terms, a classic ‘two-tier’ ?scheme of judicial review. Citizens aggrieved by a Commission decision must ?be able to complain to their national authorities, which ?must properly consider the complaint. 

If they reject the complaint, the aggrieved citizen can challenge that rejection and thereby (indirectly) bring the validity of the decision before the courts, and ultimately the CJEU. If they agree with the complaint, the national courts should themselves bring legal proceedings to challenge the decision’s validity. Thus it would be possible to maintain both good order (the Commission’s decision cannot be set aside unless the CJEU so rules), and effective judicial protection.

Scathing judgment

So far, so good. But what of the substance? The CJEU, having explained that it was the right authority to examine the validity of the decision, went ahead ?and did just that. And, behind ?its customary formality of language, it was scathing. ?The voluntary scheme sanctioned by the decision did not require the US to maintain any proper safeguards to ensure that US government entities accessed information only where it was strictly necessary to do so. 

The court held: ‘[L]egislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental ?right to respect for private life.’ 

This could have taken the court into very controversial territory, but it was able to reach its conclusion on the basis of an abstract analysis of the decision, without passing judgement or comment on Snowden’s revelations. The Commission decision had not attempted a proper analysis of US law to consider whether it provided adequate protection at all. It had, therefore, not even managed to express an opinion on the key question that needed to be addressed. Moreover, it purported to tie the national authorities’ hands about what ?to do if there was a problem, ?in what amounted to an attempt by the Commission to vary the terms of the directive, which it had no power to do. The entire decision was invalidated.

This is a robust decision by the CJEU, which intervenes strongly to protect individual rights despite powerful political and practical arguments in favour of maintaining some sort of status quo. It does not mince its words or its arguments, which are compelling. Some may ?criticise the court for a lack of pragmatism. But in the end, a court’s job is sometimes not to be pragmatic. If the EU is serious about data privacy – more serious, apparently, than the US – then it may need to take an inconvenient stand.

Paul Stanley QC is a barrister practising from Essex Court Chambers @EssexCourtLaw essexcourt.com