Schrems v Data Protection Commissioner

October 8, 2015
Tomasz Będźmirowski

Safe Harbor Era

Through the judgment dated October 6, 2015, the Court of Justice of the European Union (hereinafter: CJEU) invalidated the Commission Decision 2000/520 / EC of July 26, 2000 (hereinafter: Decision), and consequently voided the U.S.-EU Safe Harbor Framework of its significance as a guarantee of an adequate level of personal data protection.
Permit me to recall to your memory that the Safe Harbor Framework was once developed by the European Commission and the US Department of Commerce as a practical means to overcome the differences in the approach to protection of personal data between the European Union and the United States. The high standards set by Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 (hereinafter: Directive) determined the classification of the United States as a third country which does not ensure on its territory an adequate level of protection of personal data – to use the terminology employed in the Polish national legislation implementing the Directive (namely, the Act of August 29, 1997 on the protection of personal data; hereinafter: Act). Such a classification generally excludes the possibility of transferring data to the United States. But then, what are the exceptions for?

Inside the Safe Harbor

By accepting the Safe Harbor Framework, the European Union has in fact recognized the appropriateness of the level of personal data protection in the United States. Furthermore, according to Article 26(3) paragraph three of the Directive, the EU Member States were obliged to take the necessary measures to comply with the Decision. Henceforth it was enough for an American company to self-certify its compliance and notify the US Department of Commerce that they adhere to the Safe Harbor Principles, and the EU personal data protection system would accept without protest or reservation the transfer of sensitive data to the very country where rules intended to limit interference with the fundamental rights of persons were disregarded and no effective legal protection against the interference was in existence, as evidenced by the disclosure of PRISM.

Schrems the user

The CJEU was presented with a golden opportunity to assess the Safe Harbor scheme in the light of the Charter of Fundamental Rights of the European Union and the Directive thanks to the case of Maximilian Schrems, a somewhat remarkable user of the Facebook social network. This Austrian lawyer and activist filed a complaint with the Irish data protection authority (Data Protection Commissioner, hereinafter: DPC) challenging legality of the transfer of data to servers situated in the United States. The complaint was made to the DPC as the authority responsible for the supervision of the European branch (Facebook Ireland) of the American service provider (Facebook, Inc.), contended an inadequate protection of data in the US, and sought to ban the transfer of his personal data to that country.

DPC rejected Schrems’ complaint as unfounded, pointing out, first, that there was no evidence of interference with his personal data by the NSA (National Security Agency, i.e. the American intelligence agency), and secondly, that the adequacy of data protection in the United States was vetted and confirmed in the Decision.

Principled CJEU

The Schrems case was heard by the CJEU because of a reference for preliminary ruling question made by the Irish High Court, asking for clarification on whether a national supervisory authority may examine the claim of a person concerning the protection of their rights and freedoms in regard to the processing of personal data in the country found by the European Commission to ensure adequate level of data protection. This question was warranted having regard to Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, with which provisions – according to the High Court – the Decision was in breach. Thus, the CJEU had to decide on the legality of the Decision; and it embraced this opportunity.

The CJEU noted that the transfer of personal data is just one type of operations which may be performed upon the data, and therefore it is – besides specific regulations, such as those governing the transfer of data to a third country – subject to the general rules covering data processing. In consequence, national supervisory authorities, such as the DPC (or the Inspector General for Personal Data Protection – note by TB), are entitled and obliged to exercise their supervisory powers to procure compliance in processing such data, including to hear, and decide on their merits, claims lodged by data subjects. The CJEU emphasized that the Decision may not, in and of itself, justify any limitations on the protection of rights and freedoms with regard to the processing of personal data.

The CJEU went even further and showed what it means to apply a critical approach to the alleged level of protection of personal data: Taking advantage of its unique powers, the CJEU annulled the Decision as being based on faulty assumptions and relating to the country whose legal system compromises the essence of the fundamental right to respect for private life.

New era

The judgment in Schrems versus DPC has invalidated a frequented legal premise enabling the transfer of personal data to the United States. This means, for example, that personal data controllers subject to Polish law will have to take advantage of other exceptions provided for in the Act for the continued use of servers in the USA. It also means that the transfer to a third country which does not, allegedly or otherwise, ensure on its territory an adequate level of protection of personal data, will be subject to unfettered examination by the Inspector General for Personal Data Protection and courts, from the perspective of the fundamental rights of data subjects and specific provisions on the protection of personal data.

At the same time, what the Panoptykon Foundation brings to our attention (see:; in Polish only), the CJEU’s judgment should also be analyzed at the political level. As stated by Katarzyna Szymielewicz in her comment for Gazeta Prawna (see:; in Polish only) the holding of the CJEU may be read as an announcement of political and legal obstruction in transferring personal data, if Americans do not opt ​​for strengthening the standards for data protection, at least as regards their hitherto unrestricted disclosure to public authorities.

At the end of the day it seems worth keeping track of this very topic, with the opinion of the Article 29 Working Party, further decisions from the European Commission, judgments of the CJEU and finally the EU general regulation on the protection of personal data clearly in the offing – anyhow, we pledge to give you an account of all the more important arrangements as to the transfer of data to the US.