The case stems from a 2013 complaint filed by Maximilian Schrems, an Austrian national, law graduate and Facebook user. Schrems had followed the whistleblowing of Snowden carefully and took an active involvement in his Europe v Facebook group. Together with his group, he filed a complaint to the Irish Data Protection Commissioner (“DPC”), in 2013 (the private data of European based Facebook users is stored in Irish data centers and subject to Irish data protection law). The Irish DPC rejected Schrems complaint deeming there was no case to answer and that his case appeared to be “frivolous and vexatious.” Schrems then proceeded to get the decision judicially reviewed through the Irish High Court in 2014. The Irish Court deemed that the case had merit and in fact should be referred to CJEU given the significance of the case which claimed that the Safe Harbor was inadequate given the discovery of the US actions in terms of invasion privacy of people which raise questions as to whether Safe Harbor was indeed protecting EU citizens data.
Related: Who is Maximillian Schrems?
Significance of picking Ireland
Schrems, chose Ireland to take his initial complaint because Ireland has long been viewed internationally and in Europe as having robust data protection legislation and regulation in place. In fact, Ireland was one of the first countries in Europe to implement a specific legislation warranting the right to privacy for its citizens through the Data Protection Act 1988. This explains why Schrems took his case through the Irish legal and regulatory system.
As a result of the Schrems’s successful claims in the CJEU the case has now returned back to the Irish High Court which will instruct the DPC to investigate Schrems complaint against Facebook fully.
On the 6th of October, 2015 the CEJU ruled that the personal data transfers using the Safe Harbor was deemed to be invalid. Prior to this decision and as a result of Snowden’s whistleblowing the EC in 2013 was already trying to deal with the shortfalls of the Safe Harbor. The CJEU agreed with Schrems and Advocate General Bot deeming
“that the revelations made by Edward Snowden (demonstrate) a significant over-reach on the part of the NSA and other similar agencies.”
Given the EU citizens personal data being accessed by the NSA and handled in a wide variety of methods in US jurisdictions Advocate General Bot deemed that EU citizens have “no effective right to be heard on the question of the surveillance and interception of their data.” This further highlighted why EU had to protect the rights of its citizens and provide additional protection measures by deeming the Safe Harbor as invalid.
Significance of the decision
Over 4,500 US companies rely on the Safe Harbour to allow for personal data to be transferred from EU to the US. The ruling does not solely relate to these companies or technology companies in general but any business that is in the space of transferring personal data from EU to the US based on the Safe Harbor. All business in light of the recent CJEU ruling should avoid allowing for transfers of personal data to take place based solely on the Safe Harbor.
It should also be noted that just before the Schrems’s decision on 1 October 2015 the CJEU handed down its judgment in the Weltimmo case (Case C-230/14). This case was brought by the Hungarian data protection authority against the website Weltimmo (Slovakian property website) which has further additional implications for the application of the Safe Harbor ruling.
This decision effectively held that where a company operates in another country it can be held accountable to the country in which it operates national data protection authority whether or not the company is headquartered or formally established in that other country. Therefore, Facebook, LinkedIn, Amazon, Google etc. which officer services to Irish, German, UK, French users could find themselves falling within the jurisdictional scope of the national data protection authorities of those countries. This highlights further why the new EU Data Protection Regulation which aims to unify member states approach to data protection and privacy is even more important now in light of the recent decisions in order to reduce practical considerations for business.
Another consequence of the Schrems decision is that member states can suspend the transfer of data to the US thereby forcing companies to try and host data exclusively within the country in which they operate in the EU or to another suitable EU member state. Furthermore, countries could demand in light of both decisions that personal data on their citizens be only stored within their jurisdictional scope. Russia is one of the first countries to introduce such a requirement where all Russian citizens and their personal data be stored within Russia.
Internet giants such as Windows and Amazon will now try and see data storage within the EU in order to ensure that any personal data it handles are kept within the safety of the EEA and as a result in compliance with the EU legal and regulatory regime surrounding data protection and privacy. It also will lead to may organisations relocating its technology aspects such as data processing, back up storage back to the EU in order to meet the EU’s legal and regulatory requirements.
As it stands EU and the US have negotiated an acceptable equivalent to Safe Harbor at the start of 2016 in light of the Schrems decision by agreeing to the EU-US Privacy Shield.