This article belongs to the debate » The Schrems Case
08 October 2015

The Sinking of the Safe Harbor

The judgment of the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (Case C-362/14) is a landmark in EU data protection law, but one about which I have serious misgivings. While I share the Court’s concern regarding the surveillance practices of the US government (and other governments for that matter) and some of its criticisms of the EU-US Safe Harbor Arrangement, I take exception to its lack of interest in the practical effects of the judgment and the global context in which EU law must operate.

The judgment largely affirms the opinion of Advocate General Bot of 23 September, and holds that the national data protection authorities (DPAs) must have the power to reach their own conclusions about European Commission decisions concerning the adequacy of data protection in third countries under Article 25 of EU Directive 95/46 (paras. 38-66 of the judgment). In finding Commission Decision 2002/520 establishing the Safe Harbor to be invalid (para. 106), the Court affirms the need for a high standard of data protection as set out in its previous case law such as Digital Rights Ireland (Joined Cases C-293/12 and C-594/12), and holds that while data protection standards in third countries need not be “identical” to those in the EU, they must be “equivalent” (para. 73). It goes on to conclude that US law fails to limit interference with EU fundamental rights (para. 88), and that Decision 2002/520 contains gaps in protection with regard to data transferred under the Safe Harbor (para. 89).

As the Commission stated in the Communication introducing its proposed General Data Protection Regulation (GDPR) that will replace the Directive, the current fragmentation of data protection law in the EU has already led to “uneven protection for individuals”, and the Court’s confirmation that individual DPAs may interpret Commission decisions (para. 53) will only make the situation worse. The judgment’s emphasis on the need for the DPAs to be “completely independent” (see paras. 40, 57, and 99) will complicate the adoption of a legal framework for their cooperation in the proposed European Data Protection Board foreseen in the GDPR.

The judgment also creates uncertainty concerning data transfers conducted under other legal mechanisms (e.g., standard contractual clauses or binding corporate rules). The Court stresses that adequacy must be determined based on the “domestic law and international commitments” of a third country (para. 96), suggesting that it depends not just on the details of particular data transfer mechanism, but on the totality of fundamental rights protection in a third country’s legal system.

Since these other data transfer mechanisms grant no greater protection against access by the intelligence services than did the Safe Harbor (as I have argued previously), the judgment implicitly seems to throw them into question as well. Indeed, many or perhaps even most countries around the world exempt the activities of their intelligence services from their national data protection law and lack an effective oversight structure for surveillance activities, leading one to ask how under the Court’s reasoning adequate protection for data transfers can ever exist.

Thousands of former Safe Harbor member companies (including those with their headquarters in the EU) will now have to begin a lengthy process to implement alternative mechanisms for transferring data to the US, creating a legal vacuum for the protection of data transfers. The fact that the Court failed to use its power, which it has exercised on other occasions (see Société Regie Networks, Case C-333/07), to mitigate the temporal effects of the judgment and give companies a “grace period” to implement alternatives to the Safe Harbor shows its lack of interest in how EU data protection law functions “on the ground”.

Motivating third countries to adopt EU data protection standards requires that the bar not be set so high that they have no realistic chance of meeting it. The CJEU has held that EU law is an autonomous and unique legal order (see Opinion 2/13, para. 158), suggesting that by definition few countries outside the European region will be able to emulate it.

Setting an unrealistic standard for adequacy and inciting individuals to have adequacy decisions reviewed by the CJEU (see paras. 61-65) makes a system that is already slow and cumbersome, with only 12 decisions issued in 17 years (11 minus the Safe Harbor), even more glacial. The issuance of adequacy decisions by the Commission has become an example of what Martti Koskeniemi refers to as human rights “petrified into a legalistic paradigm”, and has little to do with real data protection. It is hard to understand why the EU legislator has apparently not included any improvements to the process for issuing adequacy decisions ( which could include, for example, deadlines, greater transparency, input from stakeholders, etc) in the GDPR.

The Court could have required reform of the Safe Harbor while still upholding fundamental rights, such as by adopting a Solange approach coupled with a demand to make improvements within a certain time period. Instead, it makes the transfer of personal data to third countries dependent on their strict adherence to EU standards, which is not feasible in a pluralistic world with over two hundred countries and many different conceptions of rights.

The late Ulrich Beck wrote that “in order to pursue their national interest, countries need to…surrender parts of their autonomy in order to cope with national problems in a globalized world”. Data protection is a prime example of an area of law where national and local approaches are no longer sufficient. The EU and the US share deep cultural and historical ties, and as liberal democracies their legal systems have many similarities. In theory, providing legal protection for data transfers across the Atlantic should be one of the easier tasks of privacy lawmaking, and if we cannot do this, then how can it ever be provided for data transfers to countries like China and India? The idea that EU data protection law can survive in a constitutional biotope walled off from contact with other legal systems is illusory, and will only undermine the global protection of personal data that the Schrems judgment aims to promote.


2 Comments

  1. D. Elshorst Thu 8 Oct 2015 at 16:12 - Reply

    Dear Prof. Kuner, I respectfully disagree with your articles thesis. In essence, you are saying that the court’s ruling is impractical and for that reason the court should have accepted the violation of the human right to privacy.

    It may be so that the court’s decision will lead to hardship in implementation. The reason is the complete and utter disregard lawmakers have shown to the right to privacy in the past. Now, for that reason, dismissing Mr. Schrem’s lawsuit would have added insult to injury.

    There are other fields of human right protection where we also simply expect other countries to provide “equivalent” protection. Germany will not extradite a suspect of a crime to a country where he/she faces the death penalty, torture or inhumane treatment. A court verdict from one country that contradicts the ordre public will not be enforced in another (so, no punitive damages from a US court verdict).

    I think the European Court rightly insists on the observance of the human right to privacy. The fact that the US, the UK, and large part of the i-conomy disregard it makes no difference.

  2. Christopher Kuner Thu 8 Oct 2015 at 16:54 - Reply

    Dear Mr. Elshorst,

    thanks for reading my piece and for your comment, which in turn I have to respectfully disagree with. What I did not say is that “that the court’s ruling is impractical and for that reason the court should have accepted the violation of the human right to privacy.,” I would be a very poor lawyer to make such an argument. I suppose my main theses are: 1) the judgment actually won’t lead to better data protection in practice, and 2) this is another example of the CJEU consistently ignoring the international implications of its rulings. Scholars of EU law who are much more eminent than me, such as Joseph Weiler and Grainne De Burca, have also made this argument. I also think that this case exemplifies the criticism of fundamental rights that they don’t have any content outside the context of the political views that one proceeds from. I also think the examples you give aren’t really convincing (the death penalty and torture are prime examples of non-derogable rights, whereas the CJEU has said consistently that data protection is not an absolute right). I don’t really care about the politics of the judgment, I am a lawyer and only deal with the legal issues. So we will have to agree to disagree! But thanks again for your comment.

Leave A Comment

WRITE A COMMENT

1. We welcome your comments but you do so as our guest. Please note that we will exercise our property rights to make sure that Verfassungsblog remains a safe and attractive place for everyone. Your comment will not appear immediately but will be moderated by us. Just as with posts, we make a choice. That means not all submitted comments will be published.

2. We expect comments to be matter-of-fact, on-topic and free of sarcasm, innuendo and ad personam arguments.

3. Racist, sexist and otherwise discriminatory comments will not be published.

4. Comments under pseudonym are allowed but a valid email address is obligatory. The use of more than one pseudonym is not allowed.




Explore posts related to this:
EuGH, Legal autonomy, Schrems


Other posts about this region:
Europa, USA