By Sheri Pan – Edited by Anton Ziajka
Case C-362/14, Maximillian Schrems v. Data Prot. Comm’r (E.C.J. argued Mar. 24, 2015).
Written Observations of Applicant hosted by Europe Versus Facebook.
In Luxembourg on Tuesday, March 24, 2015, the Court of Justice of the European Union (“ECJ”) heard oral arguments in a case challenging the legality of cross-Atlantic transfers of European data to U.S. companies like Facebook. The complaint, brought by Austrian privacy activist Maximillian Schrems, alleges that the U.S.-EU Safe Harbor agreement does not comply with EU Directive 95/46 (“the Directive”), which requires EU member states to ensure that data is being transferred to a country that provides an “adequate level of protection” for the data. Written Observations of Applicant at 8–9, Schrems (Nov. 10, 2014).
A copy of Schrems’ written submission to the ECJ is available here. The Register, the Wall Street Journal (subscription required), Ars Technica, and the Guardian provide reporting and commentary.
On June 25, 2013, Schrems filed a complaint with the Ireland Data Protection Commissioner (“DPC”) requesting that it terminate data transfers from Facebook Ireland to Facebook’s servers in the United States. Id. at 4. Facebook is permitted to send personal information across the Atlantic because it participates in the U.S.-EU Safe Harbor program, under which companies self-certify that they comply with the adequacy requirement under Article 25 of the Directive. See id. at 13. Schrems alleges that, in light of the Snowden leaks regarding the NSA’s PRISM surveillance program, U.S. companies do not meet the adequacy requirement. The Safe Harbor framework thereby does not comply with EU law and data transfers initiated under the provision are illegal, Schrems alleges. Id. at 13–15.
The DPC dismissed the complaint, ruling that it was obligated to accept the European Commission’s July 26, 2000 decision that the Safe Harbor protection was adequate. Id. at 2–3, 5. Upon appeal, the High Court of Ireland referred the case to the ECJ to determine whether DPCs are bound by that July 26, 2000 decision, or whether DPCs are permitted or obligated to conduct an independent inquiry into the protection’s adequacy in light of the factual developments since the Commission’s decision. Reference for a Preliminary Ruling, Schrems (July 25, 2014).
At the hearing in the ECJ, the two sides addressed whether DPCs have authority to suspend data transfers under “extraordinary circumstances.” Schrems, backed by member states Poland, Austria, and Belgium as well as advocacy groups, argued yes. In opposition, the European Commission contended that the Safe Harbor was politically and economically necessary, and that a ruling striking down the agreement would disrupt ongoing negotiations with the United States over amending the provision. The Commission, along with Ireland, requested that the Court allow it to reform the program with the guidance of a thirteen-point plan on how to protect privacy. The lead judge during the proceedings was described as grilling the Commission over the ambiguous language of the Safe Harbor agreement.
The Safe Harbor mechanism was developed in 2000 as a stopgap measure to bring the United States into compliance with the Directive. Proponents of preserving the Safe Harbor argue that it is necessary for Internet companies like Google, Facebook, and Twitter to obtain information for advertising. They warn that disbanding the program would disrupt trade and force companies to contractually negotiate for data flows and to build redundant servers overseas, which may be very costly.
The advocate general will release a nonbinding opinion on June 24, and the ECJ is expected to issue a final ruling before October.
Sheri Pan is a second-year student at Harvard Law School interested in the intersection of technology and public interest law.