National case details
Registration ID: 2013/765 JR
Instance: 1st Instance
Case status: Final
Area of law
Safeguards for access to justice
Relevant principles applied
Preliminary ruling18 June 2014, Case C-C-362/14 M. S. v Data Protection Commissioner, joined party: Digital Rights Ireland Ltd
26 July 2000
Adoption of Commission Decision 2000/520/EC
5 June 2013
First revelations by Edward Snowden on NSA surveillance programm
25 June 2013
Complaint lodged with the Irish Data Protection Commissioner
Commissioner rejects Mr S’ complaint
17 July 2014
Irish High Court makes a preliminary reference to the CJEU
6 October 2015
20 October 2015
Irish High Court sets aside Commissioner’s decision
31 May 2016
New proceedings before Irish High Court
12 July 2016
Privacy Shield adopted by the European Commission
3 October 2017
High Court makes a preliminary reference re validity of SCCs
Identification of the case
- Data Protection Act 1988
- Constitution, Article 40 (personal rights, including the right to privacy)
- Constitution, Article 41 (protection of family life)
- Directive 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
- Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce
Summary of the case
Mr S., an Austrian national and Facebook user, lodged a complaint with the Irish Data Protection Commissioner with a view to preventing the transfer of his personal data from Facebook Ireland (which collects the data of EU users) to the US-based Facebook Inc. Following the revelation by E. S. of mass surveillance activities carried out by the US National Security Agency (NSA), Mr S. maintained that the US legal order does not ensure adequate protection of personal data. The Commissioner however rejected the application as unfounded, holding that there was no evidence that Mr S.’ personal data had been obtained and that, in any case, the Commissioner was bound on the matter by the European Commission Decision 2000/520, which establishes that the US – through its Safe Harbor Privacy Principles – ensures an adequate level of protection.
Mr S. challenged the Commissioner’s decision before the High Court. The High Court held that undifferentiated access of personal data is contrary to the principle of proportionality and to the rights to privacy and inviolability of the dwelling; the right to be heard is also at stake. According to the Court, in view of the serious doubt that US procedures guarantee protection of these rights, the Commissioner should have investigated the complaint; however, the Court also recognised that the lawfulness or otherwise of the Commissioner’s determination is dependent on the interpretation of Directive 95/46 and the validity of Decision 2000/520 in light of the EU Charter of Fundamental Rights and of the principles expressed by the CJEU in Digital Rights Ireland.
- Civil judicial enforcement
Annulment of the decision of the data protection authority to reject the applicant’s complaint as unfounded
The Irish High Court essentially asks “whether and to what extent Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, prevents a supervisory authority of a Member State […] from being able to examine the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”.
The CJEU underlined that the establishment of independent national supervisory authorities with a wide range of powers is provided for in Directive 95/46, and imposed by Article 8(3) CFREU, to ensure a high level of protection of the fundamental rights of individuals. Accordingly, national supervisory authorities are responsible for verifying whether a transfer of personal data from their own Member State to a third country complies with Directive 95/46 – i.e., whether an adequate level of protection in ensured. However, when the European Commission, pursuant to Article 25(6) of Directive 95/46, adopts a decision finding that a third country ensures an adequate level of protection, such a decision is binding on Member States (including their supervisory authorities), at least until that decision is declared invalid by the CJEU.
Nonetheless, the existence of a Commission’s decision does not prevent individuals from filing a complaint regarding the transfer of their personal data to the third country, nor the supervisory authority from examining the said complaint. Since such a complaint would ultimately concern the legality of the Commission’s decision (in the sense of its compatibility with EU-protected fundamental rights) and the CJEU only is competent to declare EU acts invalid, when a complaint is rejected as unfounded by the supervisory authority, the applicant must be able, pursuant to Article 28(3) of Directive 95/46 read in the light of Article 47 CFREU, to challenge this determination before national courts (which must ask the CJEU for a preliminary ruling on validity where they consider the complaint well-founded). If, on the contrary, the national supervisory authority considers that the complaint is well-founded, that authority must, pursuant to Article 28(3) of Directive 95/46 read in light of Article 8(3) CFREU, be able to bring legal proceedings before national courts.
The CJEU thereafter considered the validity of Decision 2000/520. The Court first of all observed that compliance with the safe harbour principles, issued by the US Department of Commerce and deemed by the Commission to ensure adequate protection, is based on a self-certification system; that the principles do not apply to US public authorities; and that their application may be limited on the grounds of national security, public interest, or law enforcement. Notwithstanding the general nature of this derogation, Decision 2000/520 does not refer to any US rules that limit the interference with the fundamental rights of the data subjects, nor to effective remedies against that interference. The Court underlined that EU legislation which interferes with the rights protected by Articles 7 and 8 CFREU must clearly delimit the scope and application of restrictive measures and impose minimum safeguards; that any derogations to the protection of personal data must be strictly necessary; and that legal remedies must be available, pursuant to Article 47 CFREU. According to the Court, “the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments”; Article 1 of the decision was therefore considered invalid. The same finding concerned Article 3 of the decision, inasmuch as it unlawfully restricts the powers of national supervisory authorities by essentially precluding them to act to ensure compliance with Article 25 of Directive 95/46. The CJEU then established the invalidity of the decision as a whole.
After the Irish High Court quashed the Data Protection Commissioner’s decision, the Commissioner initiated an investigation into the complaint filed by Mr S. At the end of the investigation, the Commissioner preliminarily found that Mr S.’ complaint was well-founded: on 31 May 2016, the Commissioner therefore commenced proceedings before the Irish High Court seeking a preliminary reference to the CJEU in relation to the Standard Contractual Clauses, which have been used by US companies following the declaration of invalidity of Decision 2000/520. On 3 October 2017, the High Court made a referral to the CJEU concerning the validity of the European Commission’s decisions enshrining the said contractual clauses (High Court (Commercial), Data Protection Commissioner v. Facebook Ireland Limited and M. S., 2016 No. 4809 P.).
Role of the Charter and role of the general principles on enforcement
The CJEU referred multiple times to Articles 7 and 8 CFREU, in light of which – according to the Court – Directive 95/46 must be interpreted. The CJEU also applied Article 47 CFREU to hold that the lack of legal remedies for access to, amendment or erasure of personal data violates that provision.
- Explicit reference to Art. 47, CFREU (right to an effective remedy and a fair trial)
Articles 7 and 8 CFREU lie at the core of the CJEU judgment. The Court opened its reasoning by observing that Directive 95/46, inasmuch as it regulates the processing of personal data, which might interfere with fundamental rights, must be interpreted in light of the Charter. Additionally, in the opinion of the Court, Directive 95/46 aims to ensure a “high level of protection” of fundamental rights. Specifically, the establishment of independent national supervisory authorities is held to flow from Article 8(3) CFREU: this inter alia prevents a Commission’s decision from limiting the powers of these authorities. In particular, national authorities must be able to ascertain whether a transfer of data to a third country is in compliance with the directive: otherwise, data subjects “would be denied the right, guaranteed by Article 8(1) and (3) of the Charter, to lodge with the national supervisory authorities a claim for the purpose of protecting their fundamental rights”. Article 8(3) also implies that, whenever a claim is deemed well-founded by the national authority, this latter must be able to bring proceedings before a court, if the validity of a Commission’s decision is concerned. When, on the contrary, a national authority rejects such a claim, Article 47 CFREU comes into play and requires that the complainant have access to a court to challenge the supervisory authority’s refusal to act.
Furthermore, the Court found that “the important role played by the protection of personal data in the light of the fundamental right to respect for private life” limits the Commission’s discretion in its assessment of the adequacy of the level of protection, allowing for a strict review by the CJEU.
Finally, the above-mentioned CFREU Articles led to the declaration of invalidity of Decision 2000/520, inasmuch as they forbid the blanket storage of personal data and the lack of legal remedies to have data accessed, rectified or erased.
While the principle of effectiveness does not appear central to the reasoning of the CJEU, which focuses on the application of the Charter, the principle is (rather indirectly) referred to in order to underline the importance of independent national supervisory authorities for the protection of individuals, as well as to scrutinise the level of protection offered by the US system.
With regard to the generalised access by US authorities to personal data transferred from the EU, the Irish High Court had found that it appears to violate the principle of proportionality. The CJEU confirmed that the right to respect for private life can be limited only insofar as strictly necessary, and that “legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception”. Accordingly, such a legislation would infringe the essence of the right protected by Article 7 CFREU.
Elements of judicial dialogue
- Direct dialogue between CJEU and National court (preliminary reference)
- CJEU, C-293/12 and C-594/12, Digital Rights Ireland
Establishing the validity of a decision adopted by the European Commission pursuant to Article 25(6) of Directive 95/46
On 20 October 2015, the Irish High Court set aside the decision by the Irish Data Protection Commissioner not to investigate the complaint lodged by Mr. S.
Additional notes on the decision
After Decision 200/520 was declared invalid by the CJEU, US companies started to apply alternative existing contractual instruments approved by the European Commission, i.e. the Binding Corporate Rules and the Standard Contractual Clauses. However, a new general framework for transfers of personal data from the EU to the US was deemed necessary, and the European Commission and US government – which were already negotiating a new package – accelerated talks. On 12 July 2016, Commission Implementing Decision 2016/1250 pursuant to Directive 95/46 on the adequacy of the protection provided by the EU-U.S. Privacy Shield was adopted. Notwithstanding improvements (such as the oversight role of the new US Ombudsman), several persistent shortcomings have been pointed out among others by the national supervisory authorities and the European Parliament, and legal challenges against the new decision are foreseeable. In fact, two actions for annulment of Commission Implementing Decision 2016/1250, essentially based on its incompatibility with Articles 7, 8 and 47 CFREU, have already been brought before the EU General Court: these are La Quadrature du Net and Others v Commission (Case T-738/16) and Digital Rights Ireland v Commission (Case T-670/16).
The CJEU S. judgment has had a significant impact on the powers of national supervisory authorities and is likely to give rise to an increase of national judicial proceedings, initiated either by individuals whose complaints have been rejected by the supervisory authorities or by the supervisory authorities themselves.