Yves Bot, advocate general (AG) of the European Court of Justice (ECJ), recently passed down his fairly emphatic opinion on Safe Harbour in the case dubbed ‘Europe v Facebook’. Mason Hayes & Curran reflects on what this means for any adoption of the General Data Protection Regulation (GDPR).
On 23 September 2015, ECJ AG Bot delivered his opinion in Schrems vs Data Protection Commissioner. The opinion grabbed headlines because it concluded that US data protection rules – the so-called Safe Harbour principles, which allegedly permit the wholesale disclosure of EU citizens’ data to the National Security Agency in the US – unlawfully breach EU privacy rights, and are invalid.
This part of the opinion has already been discussed at length in the press, so we do not propose to go over it here.
Scratch beneath the surface
While the invalidity of the Safe Harbour decision grabbed headlines, there is another aspect of the opinion which could, if adopted, have potentially more far-reaching legal effects.
The AG expressed the view that Commission decisions on the adequacy of a third country’s data protection law were “not absolutely binding” on national data protection authorities (DPAs).
‘It’s difficult to understand how a Commission decision can be characterised as “not absolutely binding”, in light of the established principles governing the legal effect of EU legislative acts’
Even where the Commission had approved the data protection regime of a non-EU state, national data protection authorities were nevertheless required to investigate complaints about alleged shortcomings in that state’s protections.
Where, in the view of the national DPA, these protections were inadequate, the national DPA is required to suspend the transfer of data to that state.
The AG reached this conclusion on the basis that the principle of the independence of national DPAs – stated in the Data Protection Directive and alluded to in Article 8 of the Charter of Fundamental Rights – means that national DPAs’ powers to investigate cannot be limited by decisions adopted by the EU Commission in relation to third country transfers.
Independent powers could confuse matters
Despite secondary legislation adopted by the Commission, national DPAs retain the power to independently assess compliance with fundamental rights.
If adopted, this part of the opinion would have a major impact on the uniform application of data protection rules across the EU.
One consequence of the 0pinion is that the transfer of employee data from EU affiliates to a US parent company under Safe Harbour rules (or, indeed, any revised Safe Harbour agreement) may be permitted by some national DPAs, but prohibited by others.
Businesses operating across EU jurisdictions could, therefore, be faced with a multiplicity of investigations and differentiated national regulatory requirements relating to third country transfers.
Setbacks and fundamental concerns
This would be a significant setback in terms of legal certainty.
More fundamentally, such a ruling by the CJEU would represent a significant departure from the traditional understanding of basic EU law principles.
The proposition that national authorities have the discretion to disapply EU legislation where necessary to protect fundamental rights (a power that is not even enjoyed by national supreme courts) appears to conflict with the long-standing approach of the CJEU to the supremacy of EU law over national law.
The opinion also appears to confer the principle of the independence of data protection authorities with an elevated status within the EU constitutional order.
The AG takes the view that the principle of DPA independence prohibits the Commission from adopting secondary legislation that constrains the ability of national DPCs to take independent decisions.
It is difficult to reconcile this view with the ordinary understanding of the relationship between the EU legislator and national administrative bodies.
It is also difficult to understand how a Commission decision can be characterised as “not absolutely binding”, in light of the established principles governing the legal effect of EU legislative acts.
If accepted, the AG’s opinion is likely to require revisions to the draft GDPR, currently being negotiated between the EU member states, Commission and Parliament.
The draft regulation is based on the assumption that it is possible to delegate to the Commission the power to adopt secondary legislation that binds national data protection authorities.
The shifting role of the Commission
Several clauses in the draft regulation – for example, those governing model contractual clauses and adequacy decisions – are designed to permit such binding decisions.
In addition, the latest draft put significant focus on measures intended to align the positions of various national DPAs through the so-called “consistency mechanism” and the European Data Protection Board.
These measures may now be legally suspect, given the AG’s comments on the importance of the “absolute independence” of national DPAs.
In short, many aspects of the GDPR may need to be revisited should the CJEU chose to adopt the ‘Schrems Opinion’.
At the very least, the opinion may delay the adoption of the GDPR since the negotiators may need to wait for clarification from the Court on some of the difficult issues raised by the AG.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
This article was written by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Main image via Shutterstock