Friday, October 9, 2015

Court of Justice of the European Union PRESS RELEASE No 117/15 Luxembourg, 6 October 2015 Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid COPY.

 Court of Justice of the European Union
PRESS RELEASE No 117/15
Luxembourg, 6 October 2015
Judgment in Case C-362/14
Maximillian Schrems v Data Protection Commissioner
The Court of Justice declares that the Commission’s US Safe Harbour Decision is
invalid
Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is
lodged with the national supervisory authorities they may, even where the Commission has
adopted a decision finding that a third country affords an adequate level of protection of personal
data, examine whether the transfer of a person’s data to the third country complies with the
requirements of the EU legislation on the protection of that data and, in the same way as the
person concerned, bring the matter before the national courts, in order that the national courts
make a reference for a preliminary ruling for the purpose of examination of that decision’s validity
The Data Protection Directive1
provides that the transfer of personal data to a third country may, in
principle, take place only if that third country ensures an adequate level of protection of the data.
The directive also provides that the Commission may find that a third country ensures an adequate
level of protection by reason of its domestic law or its international commitments. Finally, the
directive provides that each Member State is to designate one or more public authorities
responsible for monitoring the application within its territory of the national provisions adopted on
the basis of the directive (‘national supervisory authorities’).
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case
with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to
Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States,
where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data
Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by
Edward Snowden concerning the activities of the United States intelligence services (in particular
the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer
sufficient protection against surveillance by the public authorities of the data transferred to that
country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of
26 July 20002
the Commission considered that, under the ‘safe harbour’ scheme,3
the United
States ensures an adequate level of protection of the personal data transferred (the Safe Harbour
Decision).
The High Court of Ireland, before which the case has been brought, wishes to ascertain whether
that Commission decision has the effect of preventing a national supervisory authority from
investigating a complaint alleging that the third country does not ensure an adequate level of
protection and, where appropriate, from suspending the contested transfer of data.
In today’s judgment, the Court of Justice holds that the existence of a Commission decision
finding that a third country ensures an adequate level of protection of the personal data transferred
cannot eliminate or even reduce the powers available to the national supervisory authorities

1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
2 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of
the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently
asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
3
The safe harbour scheme includes a series of principles concerning the protection of personal data to which United
States undertakings may subscribe voluntarily.
www.curia.europa.eu
under the Charter of Fundamental Rights of the European Union and the directive. The Court
stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and
the task with which the national supervisory authorities are entrusted under the Charter.
The Court states, first of all, that no provision of the directive prevents oversight by the national
supervisory authorities of transfers of personal data to third countries which have been the subject
of a Commission decision. Thus, even if the Commission has adopted a decision, the national
supervisory authorities, when dealing with a claim, must be able to examine, with complete
independence, whether the transfer of a person’s data to a third country complies with the
requirements laid down by the directive. Nevertheless, the Court points out that it alone has
jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently,
where a national authority or the person who has brought the matter before the national authority
considers that a Commission decision is invalid, that authority or person must be able to bring
proceedings before the national courts so that they may refer the case to the Court of Justice if
they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court
of Justice which has the task of deciding whether or not a Commission decision is valid.
The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the
Court states that the Commission was required to find that the United States in fact ensures, by
reason of its domestic law or its international commitments, a level of protection of fundamental
rights essentially equivalent to that guaranteed within the EU under the directive read in the light of
the Charter. The Court observes that the Commission did not make such a finding, but merely
examined the safe harbour scheme.
Without needing to establish whether that scheme ensures a level of protection essentially
equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable
solely to the United States undertakings which adhere to it, and United States public authorities are
not themselves subject to it. Furthermore, national security, public interest and law enforcement
requirements of the United States prevail over the safe harbour scheme, so that United States
undertakings are bound to disregard, without limitation, the protective rules laid down by that
scheme where they conflict with such requirements. The United States safe harbour scheme
thus enables interference, by United States public authorities, with the fundamental rights of
persons, and the Commission decision does not refer either to the existence, in the United States,
of rules intended to limit any such interference or to the existence of effective legal protection
against the interference.
The Court considers that that analysis of the scheme is borne out by two Commission
communications,4
according to which the United States authorities were able to access the
personal data transferred from the Member States to the United States and process it in a way
incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly
necessary and proportionate to the protection of national security. Also, the Commission noted that
the persons concerned had no administrative or judicial means of redress enabling, in particular,
the data relating to them to be accessed and, as the case may be, rectified or erased.
As regards a level of protection essentially equivalent to the fundamental rights and freedoms
guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what
is strictly necessary where it authorises, on a generalised basis, storage of all the personal
data of all the persons whose data is transferred from the EU to the United States without any
differentiation, limitation or exception being made in the light of the objective pursued and
without an objective criterion being laid down for determining the limits of the access of the public
authorities to the data and of its subsequent use. The Court adds that legislation permitting the
public authorities to have access on a generalised basis to the content of electronic

4 Communication from the Commission to the European Parliament and the Council entitled ‘Rebuilding Trust in EU-US
Data Flows’ (COM(2013) 846 final, 27 November 2013) and Communication from the Commission to the European
Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies
Established in the EU (COM(2013) 847 final, 27 November 2013).
www.curia.europa.eu
communications must be regarded as compromising the essence of the fundamental right to
respect for private life.
Likewise, the Court observes that legislation not providing for any possibility for an individual to
pursue legal remedies in order to have access to personal data relating to him, or to obtain the
rectification or erasure of such data, compromises the essence of the fundamental right to
effective judicial protection, the existence of such a possibility being inherent in the existence of
the rule of law.
Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities
their powers where a person calls into question whether the decision is compatible with the
protection of the privacy and of the fundamental rights and freedoms of individuals. The Court
holds that the Commission did not have competence to restrict the national supervisory
authorities’ powers in that way.
For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has
the consequence that the Irish supervisory authority is required to examine Mr Schrems’
complaint with all due diligence and, at the conclusion of its investigation, is to decide
whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers
to the United States should be suspended on the ground that that country does not afford
an adequate level of protection of personal data.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes
which have been brought before them, to refer questions to the Court of Justice about the interpretation of
European Union law or the validity of a European Union act. The Court of Justice does not decide the
dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s
decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.