After Directive 2006/24/EC on data retention, which the ECJ ruled to be invalid on April 8, 2014, will the Court invalidate “Safe Harbor” agreements? This question arises when one reads the preliminary question that the High Court of Ireland referred to the ECJ on last August 26 (Case C-362/14). The case at the heart of this referral was based on a complaint filed before the High Court by Mr. S, an Austrian national. Mr. S was challenging the Irish Commissioner’s (the Irish data protection authority) refusal to investigate his complaint, filed on June 25, 2013, against the Irish subsidiary of an American company. Mr. S alleged that, given the revelations of the NSA’s monitoring activities under the PRISM program, “the rights and practices of which [the United States], it is claimed, do not contain adequate protections” for the data subject against state surveillance as regards data that are transferred there from Europe. Consequently, Mr. S asked the Commissioner to suspend data transfers to the United States based on “Safe Harbor” agreements since the protection of such data was not guarantee. It should be remembered that national data protection authorities’ ability to suspend transfers “to an organization” whose behavior may violate the “Safe Harbor” principles is provided in Article 3 of such agreements. The Commissioner justified his refusal to investigate Mr. S’s complaint by notably stating that the European Commission’s decision of July 26, 2000, on “Safe Harbor” agreements, acknowledged that this mechanism provided, “an adequate level of protection for personal data”, so that, pursuant to the principle of the primacy of EU law over national law, he was bound by this decision. Consequently, the Commissioner stated that he did not have the power to evaluate, and even less power to dispute, in a general and abstract manner, the degree of data protection provided by the European Commission’s decision. Ruling on Mr. S’s complaint against the Commissioner’s refusal, the High Court of Ireland first pointed out that the Commissioner was “naturally bound” by the European Commission’s decision. However, the High Court noted that the “critical issue” is the very “terms” of the Commission’s decision rather than “its application” by the Commissioner. Indeed, Mr. S’s complaint, disputes the very principle and effectiveness of “Safe Harbor”, and not a possible lack of application in a specific case by a particular “organization“. The High Court points out, in this respect, that new evidence had arisen since the July 26, 2000 decision. The High Court first mentioned the entry into force, after the decision, of Articles 7 and 8 of the European Union’s Charter of Fundamental Rights on the right to privacy and the protection of personal data, then the revelations regarding the PRISM scandal and, lastly, the recent decision of the ECJ on April 8, 2014. As the High Court indicates, “in these circumstances“, it ruled that it was “appropriate” to refer the question of whether the Commissioner was “absolutely bound” by the Commission’s decision, which found that the United States offered an adequate level of data protection, or whether he, “may, or must, conduct his or her own investigation by ascertaining the manner in which facts have changed” since July 26, 2000. This question referred to the ECJ has potentially serious legal and economic consequences, especially because it takes place within a particular European political context. Indeed, “Safe Harbor” agreements are one of the legal instruments most widely used by companies established in Europe to transfer data to the United States. From fewer than 400 in 2004, American companies registered as “Safe Harbor” members now number nearly 3,300. According to a European Commission study, 51% of companies that are “Safe Harbor”-certified process HR data of employees residing in Europe. Therefore, “Safe Harbor” is a legal mechanism used daily by a large number of European companies. This is why, according to certain studies cited by the Commission, disrupting transatlantic data flows could have a recessionary effect of between -0.8% and -1.3% on the EU’s GDP. However, the “Safe Harbor” mechanism is subject to a great deal of scrutiny in Europe that has grown substantially since the PRISM scandal. In its 2004 analysis report, the European Commission identified a number of improvements to be made to “Safe Harbor” mechanism. In its communication on November 27, 2013, the Commission reiterated part of its findings and again made a series of 13 recommendations, some of which include the 2004 recommendations. Faced with this situation, with the fact that its previous recommendations were relatively ineffective and with the revelations of the PRISM scandal, the European Parliament created an Investigation Committee. In its report filed on January 8, 2014, the Investigation Committee notably demanded the “suspension” of “Safe Harbor” agreements by the European Commission. Therefore, the preliminary question referred to the ECJ takes place within a context of transatlantic tensions and the European Parliament’s political pressure on the European Commission. The ECJ staked outs its position with vigour and conviction this year by ruling in favor of a strict reading of data protection. In its Digital Rights Ireland decision on April 8, 2014, it ruled that Directive 2006/24/EC on data retention constituted disproportionate interference with the rights to privacy and to data protection. In this important decision, paragraph 37 should be pointed out here. In it, the Court states as follows: “It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out [….] wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (author’s emphasis). Moreover, in paragraph 68, the Court stated that the Directive, “does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured.” Yet, what is involved in the case referred to the ECJ if it is not “wide-ranging” surveillance conducted by the PRISM program, the “seriousness” of which is difficult to dispute? Because of PRISM, the European users, who are monitored against their will, may have indeed the “feeling that their private lives are the subject of constant surveillance“? Also, the protection afforded by the Charter’s Article 8 and by the control of an independent authority are all but uncertain. Therefore, one does see, although, obviously, we cannot surmise what the ECJ’s decision will be in this case, the criteria that the Court laid down to invalidate Directive 2006/24 could very well apply to “Safe Harbor” agreements. The Court has several options. Either it rules that it is possible to interpret “Safe Harbor” agreements in light of the requirements of the Charter’s Articles 7 and 8, which should lead national data protection authorities, like the Commissioner, to conduct their own investigation. If this occurs, then a new period of legal uncertainty would begin within the European Union, as one could not rule out the risk of having differing interpretations being made by the 28 national data protection authorities. Or, the Court rules that such an interpretation is legally impossible. As national data protection authorities are bound by the Commission’s decision, they could investigate only specific companies’ known breaches and not violations committed by the American authorities. Another option would be that the Court, which is in charge of ensuring the compliance with European Law, rephrases the question and takes the initiative in assessing the lawfulness of “Safe Harbor” agreements whereas it has only been required to review the interpretation thereof. It should be reminded that the ECJ has already taken such an initiative in the past. Therefore, one must remain vigilant about this issue because its outcome will have significant repercussions on the legal regime for transatlantic data transfers.
Yann Padova joined Baker McKenzie as a partner in the Information Technology Group and head of the Data Protection Practice in Paris. He is internationally recognized in digital network law, personal data and regulatory law. Yann Padova has an extensive experience in data protection for 17 years and has served both as a regulator and a lawyer. In November 2017, he has been appointed “Country Leader” by the International Association of Privacy Professional (IAPP). Before joining Baker McKenzie, Yann Padova served as Commissioner with the Commission de Régulation de l’Energie (2015-2017), to which he was appointed by the President of the National Assembly due to his skills in the field of personal data. Before this, he had worked for Baker McKenzie in Paris as Senior Counsel in the Information Technologies and Communications team (2012-2015). For 6 years, he was Secretary General of the CNIL, the French data protection authority (2006-2012) where he participated in the very first rounds of negotiations of the GDPR. He began his career as an Administrator at the National Assembly (1995-2006) where he specialised in personal data laws, criminal law and criminal procedures and notably participated in the legal work that led to the transposition of the Directive 95/46 on data protection into French Law.