Ireland

Court of Justice of the European Union: Schrems v. Data Protection Commissioner

IRIS 2015-10:1/2

Ronan Ó Fathaigh

Institute for Information Law (IViR), University of Amsterdam

On 6 October 2015, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-362/14, Schrems v. Data Protection Commissioner, which was a preliminary reference from an Irish court asking whether: (a) national data protection authorities are absolutely bound by a European Commission decision, where an individual claims their personal data is being transferred to a country where there are inadequate laws on data protection, and (b) should a national data protection authority conduct its own review in light of factual developments since a Commission decision was first taken.

The case arose when an Austrian user of Facebook made a complaint to the Irish Data Protection Commissioner, asking the authority to prohibit Facebook Ireland from transferring his personal data to the United States, as he claimed US law did not adequately protect his personal data. The Commissioner rejected the complaint, holding that under the Commission’s Decision 2000/520 (the “safe harbour scheme”), US law ensured an adequate level of protection. The Irish High Court reviewed the Commissioner’s decision, and asked the CJEU to rule on whether the Commissioner was absolutely bound by the Commission’s decision on US law, and whether the Commissioner should instead carry out its own review of US law.

On the questions referred by the Irish court, the CJEU ruled that the Data Protection Directive must be interpreted as meaning that a Commission decision “does not prevent” a national authority from examining a claim from an individual that “the law and practices in force” in another country “do not ensure an adequate level of protection”. The Court then noted that the Irish court “seems essentially to share” the complainant’s “doubts” about the “validity of Commission 2000/520”, and “in order to give the referring court a full answer”, the Court also examined whether the Commission’s decision complied with the Data Protection Directive and the EU Charter of Fundamental Rights.

The CJEU reviewed the Commission’s decision, and concluded the decision was “invalid” because “the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments”. Thus, the decision was invalid, “without there being any need to examine the content of the safe harbour principles” by the Court. Finally, the Court held that the Commission “exceeded [its] power” when it restricted national authorities’ powers of review.