Legal Service
SJ-0686/14
Brussels, 22 October 2014
D(2014)50317
TO THE PRESIDENT AND THE MEMBERS OF THE COURT OF JUSTICE OF
THE EUROPEAN UNION
WRITTEN OBSERVATIONS
submitted pursuant to Article 23, paragraph 2, of the Protocol on the Statute of the Court of
Justice of the European Union by
THE EUROPEAN PARLIAMENT
represented by Mr Antonio CAIOLA, Head of Unit in the Legal Service,
Mr Dominique MOORE and Ms Mirena PENCHEVA, members of the Legal Service, acting
as agents, having accepted that notifications may be sent via e-Curia or, where appropriate, to
the following address: the European Parliament, Legal Service, KAD 06A007, L-2929
Luxembourg
in Case C–362/14
concerning a request for a preliminary ruling made, pursuant to Article 267 TFEU, by the
High Court of Ireland (Ireland) in the case
Maximillian SCHREMS v Data Protection Commissioner,
concerning the interpretation of Articles 7, 8 and 47 of the Charter of Fundamental Rights of
the European Union and the interpretation of Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the protection of individuals with regard to the
processing
of
personal
data
and
on
the
free
movement
of
such
data.
B-1047 Brussels - Tel +32 2 28 43209 - Fax +32 2 284 68 82
L-2929 Luxembourg - Tel +352 43 00 22626 - Fax +352 43 23 07
F-67070 Strasbourg - Tel +33 3 88 1 73385 - Fax +33 3 88 37 02 36
2
CONTENTS
I.
INTRODUCTION .......................................................................................................... 3
II. ACTION BEFORE THE NATIONAL COURT AND FINDINGS OF FACT ......... 3
A.
Findings of fact of the national court ................................................................... 4
III. LEGAL CONTEXT ........................................................................................................ 5
A.
Charter of Fundamental Rights ........................................................................... 5
B.
Directive 95/46/EC ................................................................................................. 6
IV. CONSIDERATION OF THE QUESTIONS REFERRED ......................................... 7
A.
Charter of Fundamental Rights ........................................................................... 7
1.
Interference with the rights laid down in Articles 7 and 8 of the Charter .. 8
2.
No possible justification under Article 52(1) of the Charter: mass
surveillance is inherently disproportionate .................................................... 9
3.
Article 8(3) of the Charter - powers of independent authorities ................ 10
4.
Article 47 of the Charter ................................................................................ 11
B.
Directive 95/46 ..................................................................................................... 12
1.
Purpose of Directive 95/46 - Member States to protect fundamental rights
........................................................................................................................ 12
2.
General structure of the Directive: Chapter IV on transfers and Chapter
VI on supervisory authorities ...................................................................... 13
3.
Scheme of Article 25 of the Directive on "adequacy" - objective test ........ 14
4.
Wording of Article 25(6) of the Directive - meaning of "measures necessary
to comply" ..................................................................................................... 16
5.
Wording
of
Article
28(1)
of
the
Directive
-
meaning
of
"complete independence" ............................................................................. 18
C. National law ......................................................................................................... 19
V.
CONCLUSIONS ........................................................................................................... 21
3
I.
INTRODUCTION
1.
The request for a preliminary ruling made by the High Court of Ireland was notified to
the European Parliament on 26 August 2014, by letter of the Registry of the Court of
Justice of the same date.
2.
The national court has referred the following questions to the Court of Justice :
"
Whether in the course of determining a complaint which has been made to an
independent office holder who has been vested by statute with the functions of
administering and enforcing data protection legislation that personal data is being
transferred to another third country (in this case, the United States of America) the
laws and practices of which, it is claimed, do not contain adequate protections for the
data subject, that office holder is absolutely bound by the Community finding to the
contrary contained in Commission Decision of 26 July 2000 (2000/520/EC) having
regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of
the European Union (2000/C 364/01), the provisions of Article 25(6) of Directive
95/46/EC notwithstanding? Or, alternatively, may and/or must the office holder
conduct his or her own investigation of the matter in the light of factual developments
in the meantime since that Commission Decision was first published?"
3.
To answer these questions the European Parliament considers that it is, first and
foremost, necessary to examine the application of the Charter of Fundamental Rights
(hereafter the "Charter") and in particular Articles 7, 8 and 47 thereof. The correct
interpretation of Directive 95/46 should then be assessed, in conformity with the
Charter, in view of its wording, scheme and purpose.
II. ACTION BEFORE THE NATIONAL COURT AND FINDINGS OF FACT
4.
The case pending before the High Court of Ireland concerns a complaint by an Austrian
national, Mr Schrems, made on 25 June 2013 to the Irish Data Protection Commissioner
("the Irish Commissioner") about transfers of personal data by Facebook Ireland Ltd. to
the servers of its U.S. parent, Facebook Inc., which are physically located within the
United States of America.
5.
Mr Schrems is a Facebook user and the essence of his complaint of 25 June 2013 to the
Irish Commissioner was that, in the light of the revelations made from May 2013
4
onwards by Mr Edward Snowden concerning the activities of the US National Security
Agency, there was no meaningful protection in US law and practice in respect of data so
transferred to the US so far as State surveillance was concerned.
6.
By letters dated 25 and 26 July 2013, the Irish Commissioner stated that under Irish
legislation - the Data Protection Act 1988 ("the 1988 Act") - he simply cannot
investigate this complaint further,
inter alia because the European Commission had
determined in its Safe Harbour Decision1 that the US ensures an adequate level of data
protection in accordance with Article 25(6) of Directive 95/46/EC.2 The Irish
Commissioner noted that the Safe Harbour Decision was a "
Community finding" for the
purposes of s. 11(2)(a) of the 1988 Act and that consequently any question of the
adequacy of data protection in the US was required by Irish law to "
be determined in
accordance with that finding". As the Irish Commissioner considered that Irish
legislation does not allow him to arrive at a finding inconsistent with the Safe Harbour
Decision, he adopted a decision not to investigate Mr Schrems’ complaint further.
7.
Mr Schrems then challenged that decision of the Irish Commissioner in a case before
the High Court of Ireland. It is in this context that the High Court of Ireland has now
referred questions to the Court of Justice for a preliminary ruling.
8.
Before though examining the legal questions raised by the High Court of Ireland for a
preliminary ruling, the European Parliament wishes to draw the attention of the Court of
Justice to the findings of fact made by the national court, against which background
these questions must now be assessed.
A.
Findings of fact of the national court
9.
Based on the evidence submitted in the national proceedings, the High Court of Ireland
has made the following findings of fact,
inter alia, which are stated in the Request for a
preliminary ruling [emphasis added]:
"
EU citizens have no effective right to be heard on the question of the interception
and surveillance of their data" by the US National Security Authority (and other
1
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC on the adequacy of
the protection provided by the safe harbour privacy principles and related frequently asked questions
issued by the US Department of Commerce (OJ L 215, 25.08.2000, p.7).
2
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of such data (OJ L
281, 23.11.1995, p. 31).
5
similar US agencies) and, furthermore, "
decisions taken to access such data are not
conducted on the basis of EU law".3
"…
personal data transferred by companies such as Facebook Ireland to its parent
company in the United States is thereafter capable of being accessed by the [US]
National Security Authority (and other federal agencies such as the Federal Bureau
of Investigation) in the course of a mass and indiscriminate surveillance and
interception of such data. Indeed, in the wake of the Snowden revelations, the
available evidence presently admitted of no other realistic conclusion".4
10. As it is not the purpose of the preliminary reference procedure before the Court of
Justice to review findings of facts made by a national court, the Parliament will proceed
to analyse the legal questions raised in the present procedure exclusively on the basis -
at the very least as a working hypothesis - of the above mentioned findings of fact of the
High Court of Ireland, which are not themselves in dispute here.5
III. LEGAL CONTEXT
A.
Charter of Fundamental Rights
11. According to Article 7 of the Charter, "
Everyone has the right to respect for his or her
private and family life, home and communications".
12. According to Article 8(1) of the Charter "
Everyone has the right to the protection of
personal data concerning him or her". Furthermore, Article 8(2) states that such data
"
must be processed fairly for specified purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid down by law".
3
See paragraph 7(b) of the Request for a preliminary ruling.
4
See paragraph 7(c) of the Request for a preliminary ruling.
5
It is public knowledge that the Parliament has conducted its own in-depth inquiry following the Snowden
revelations. On 12 March 2014, the Parliament adopted in plenary a Resolution "
on the US NSA
surveillance programme, surveillance bodies in various Member States and their impact on EU citizens'
fundamental rights and on transatlantic cooperation in Justice and Home Affairs" (2013/2188(INI).
According to the "
Main findings" of this Resolution, the Parliament "
Considers that recent revelations ...
have resulted in compelling evidence of the existence of far-reaching, complex and highly technologically
advanced systems designed by US and some Member States' intelligence services to collect, store and
analyse communication data, including content data, location data and metadata of all citizens around
the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner"
[emphasis added] (point 1 of the "
Main findings"). The Parliament's own findings are therefore fully
consistent with those of the national court, which is unsurprising given the national court's statement that
the current evidence admits "
no other realistic conclusion."
6
13. Article 8(3) of the Charter specifically provides that "
Compliance with these rules shall
be subject to control by an independent authority" [emphasis added].
14. Article 47 of the Charter provides for a right to an effective remedy and to a fair trial.6
B.
Directive 95/46/EC
15. The object of Directive 95/46/EC, according to Article 1(1), is to "
protect the
fundamental rights and freedoms of natural persons, and in particular their right to
privacy with respect to the processing of personal data."
16. Article 25 of Directive 95/46, under Chapter IV, sets out rules on the "
Transfer of
personal data to third countries"
.7
17. Article 28 of Directive 95/46, under Chapter VI, sets out the rules on the "
Supervisory
authority"
to be established by each Member State.8
6
"
Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an
effective remedy before a tribunal in compliance with the conditions laid down in this Article. ..."
7
[emphasis added]
"Principles
1. The Member States shall provide that the transfer to a third country of personal data which are
undergoing processing or are intended for processing after transfer may take place only if, without
prejudice to compliance with the national provisions adopted pursuant to the other provisions of this
Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all
the circumstances surrounding a data transfer operation or set of data transfer operations; particular
consideration shall be given to the nature of the data, the purpose and duration of the proposed
processing operation or operations, the country of origin and country of final destination, the rules of
law, both general and sectoral, in force in the third country in question and the professional rules and
security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a
third country does not ensure an adequate level of protection within the meaning of paragraph 2.
...
6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third
country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by
reason of its domestic law or of the international commitments it has entered into, particularly upon
conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic
freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission's decision."
8
[emphasis added] "
Supervisory authority
1. Each Member State shall provide that one or more public authorities are responsible for monitoring
the application within its territory of the provisions adopted by the Member States pursuant to this
Directive.
These authorities shall act with complete independence in exercising the functions entrusted to them.
...
3. Each authority shall in particular be endowed with:
- investigative powers, such as powers of access to data forming the subject-matter of processing
operations and powers to collect all the information necessary for the performance of its supervisory
duties,
...
7
IV. CONSIDERATION OF THE QUESTIONS REFERRED
18. In effect, the High Court of Ireland is asking the Court of Justice to give a preliminary
ruling on the question as to whether the Irish Commissioner was correct, as a matter of
EU law, to refuse to open an investigation into an alleged breach of fundamental rights
to data protection in relation to transfers of personal data to a third country.
19. According to the Irish Commissioner, it is
impossible for him to even open an
investigation into the complaint made by Mr Schrems as he is - to use the wording of
the High Court of Ireland - "
absolutely bound" by the Commission Decision on Safe
Harbour. There is thus a legal obstacle, arising it is claimed under EU law, which
completely prevents the Irish Commissioner from investigating all complaints into this
matter in all cases, whether he himself wishes to conduct an investigation or not.
20. The questions thus concern the legal limits set by Directive 95/46, in accordance with
the Charter, on the powers of investigation of national data protection authorities.
21. To answer these questions, the Parliament will, first, examine the Charter, as a matter of
primary EU law, and then, second, interpret the provisions of Directive 95/46, in
accordance with the Charter.
A.
Charter of Fundamental Rights
22. In the present case, it is necessary to examine, first, whether there is any interference
with the rights laid down in Articles 7 and 8(1) and (2) of the Charter, with reference
also to Article 52(1) of the Charter. In the affirmative, it is then necessary to ask,
second, what control by an independent authority is required by Article 8(3) of the
Charter to deal with such a violation of the rights laid down in Articles 7 and 8 of the
Charter. In addition, we will address, third, the issue of the application of Article 47 of
the Charter, which is also mentioned in the questions referred by the national court.
4. Each supervisory authority shall hear claims lodged by any person, or by an association representing
that person, concerning the protection of his rights and freedoms in regard to the processing of personal
data. The person concerned shall be informed of the outcome of the claim.
..."
8
1.
Interference with the rights laid down in Articles 7 and 8 of the Charter
23. The allegations made by Mr Schrems in his complaint to the Irish Commissioner relate
to "
mass and indiscriminate surveillance and interception" of his personal data by the
U.S. authorities following their transfer from Ireland to the U.S.
24. It is obvious that such allegations would, if proved, constitute a clear interference with
the rights laid down in Articles 7 and 8 of the Charter.
25. It is to be recalled that, according to the settled case-law, to establish the existence of an
interference with the fundamental right to privacy, it does not matter whether the
information on the private lives concerned is sensitive or whether the persons concerned
have been inconvenienced in any way : see the judgment of the Grand Chamber of the
Court dated 8 April 2014 in Joined Cases C-293/12 and C-594/12,
Digital Rights
Ireland and Seitlinger and Others, EU:C:2014:238 (hereafter the "Digital Rights
Ireland" case), paragraph 33.
26. As a result, alleged surveillance and interception by U.S. authorities would constitute in
itself an interference with the rights guaranteed by Article 7 of the Charter.9
27. Likewise, alleged surveillance and interception by US authorities would constitute an
interference with the fundamental right to the protection of personal data guaranteed by
Article 8 of the Charter because it consists in the processing of personal data,
transferred from the E.U. to the U.S. by electronic means.10
28. It must also be stated that this interference with the fundamental rights laid down in
Articles 7 and 8 of the Charter would be particularly "
wide-ranging", and it would be
considered to be "
particularly serious". The fact that the personal data are intercepted
and subsequently processed by the U.S. authorities without the E.U. citizen being
informed is undoubtedly likely to generate in the minds of the persons concerned the
feeling that their private lives are the subject of constant surveillance.11
9
See, by analogy, the Digital Rights Ireland case, paragraphs 34 and 35.
10
See, by analogy, the Digital Rights Ireland case, paragraph 36.
11
See, by analogy, the Digital Rights Ireland case, paragraph 37.
9
29. It may even be said that the interference here is so serious that it adversely affects the
essence of the rights laid down in Article 7 of the Charter.12
2.
No possible justification under Article 52(1) of the Charter: mass
surveillance is inherently disproportionate
30. According to Article 52(1) of the Charter, any limitation on the exercise of the rights
and freedoms recognised by the Charter must be "
provided for by law" and respect the
essence of those rights and freedoms. Subject to the principle of proportionality,
limitations may be made only if they are necessary and genuinely meet the objectives of
general interest recognised by the Union or the need to protect the rights and freedoms
of others.
31. As a matter of interpretation of fundamental principles of primary EU law as enshrined
in the Charter, it is inconceivable that any legislation which expressly authorises the
"
mass and indiscriminate surveillance and interception" of personal data of all EU
citizens could ever be adequately "
provided for by law" and sufficiently respect the
"
essence" of the right to privacy and the right to the protection of personal data, whilst
at the same time respecting fully the principle of proportionality, in accordance with
Articles 7, 8 and 52 of the Charter.
32. "
Mass" and "
indiscriminate" interference with fundamental rights, encompassing all
innocent persons without limitation, is rather the antithesis of the fundamental
principles enshrined in Articles 7, 8 and 52 of the Charter, not to mention Article 8 of
the Convention for the Protection of Human Rights and Fundamental Freedoms
(hereafter the "Convention"): see, by analogy, paragraphs 52 to 54 of the Digital Rights
Ireland case. See also, by analogy, the judgments of the European Court of Human
Rights in
Liberty and Others v U.K., 1 July 2008, no.58243/00, paragraphs 62 and 63,
S.
and Marper v U.K., 4 December 2008, [GC], nos. 30562/04 and 30566/04, paragraphs
12
Cf. paragraph 39 of the Digital Rights Ireland case. In the present case, the High Court of Ireland found
that U.S. law does in fact permit the U.S. authorities to have access to electronic communications
(including audio and video chats, photographs, e-mails, documents etc). As a result, it is possible for the
US authorities to acquire knowledge of the content of those electronic communications: see paragraph
7(c) of the Request for a preliminary ruling, as well as paragraphs 10-13 of the judgment - referred to
there - of the High Court of Ireland delivered on 18 June 2014 (a copy of which is set out at Annex 3 to
the Request for a preliminary ruling). The present situation can thus be regarded as being far more
serious, in terms of interference with the essence of the right to privacy and protection of data, than in the
case of retention of data required by Directive 2006/24, whose Article 1(2) did not permit the acquisition
of "
knowledge of the content of electronic communications as such," but was nevertheless still found to
constitute "
a particularly serious interference" with the fundamental right to privacy.
10
119 and 125,
M.M. v. U. K., 13 November 2012, no. 24029/07, paragraph 195 and 199
and
M. K. v France, 18 April 2013, no. 19522/09, paragraph 37.
33. Mass and indiscriminate surveillance is thus inherently disproportionate and will always
amount to an unjustified interference with rights guaranteed by Articles 7 and 8 of the
Charter.
34. Given that it is excluded for the EU legislator or the EU Member States to adopt
legislation, contrary to the Charter and the Convention, providing for "
mass" and
"
indiscriminate" surveillance, then it must also follow,
a fortiori, that third countries
cannot, under any circumstances, be regarded as providing an "
adequate" level of
protection of personal data of EU citizens, within the meaning of Articles 7, 8 and 52 of
the Charter, where that third country itself has rules of law which do in fact permit such
"
mass" and "
indiscriminate" surveillance and interception of such data.13
3.
Article 8(3) of the Charter - powers of independent authorities
35. Article 8(3) of the Charter provides that "
compliance" with the rules on data protection
shall be subject to control by an "
independent authority".
36. Clearly, effective powers of investigation of "
independent authorities" with respect to
serious violations of the right to protection of personal data are essential to prevent
abuse. Above all, this must apply to the investigation of violations which cannot be
justified, under any circumstances, with reference to Article 52 of the Charter, such as
"
mass" and "
indiscriminate" surveillance.
37. Secondary EU legislation must therefore be interpreted in a manner which is consistent
with this need for effective powers of investigation of independent authorities.
38. Finally, it should be noted that the European Commission (as opposed to national
supervisory authorities, such as the Irish Commissioner) cannot itself be regarded as an
"
independent" authority within the meaning of Article 8(3) of the Charter.
13
The Parliament draws the attention of the Court to the fact that the Article 29 Working Party adopted, on
10 April 2014, Opinion 04/2014 "
on surveillance of electronic communications for intelligence and
national security purposes" (819/14/EN WP 215) in which the Working Party concludes that "
secret,
massive and indiscriminate surveillance programs are incompatible with our fundamental laws and
cannot be justified by the fight against terrorism or other important threats to national security". The
Working Party also concluded that "
Neither Safe Harbor, nor standard contractual clauses, nor BCRs
could serve as a legal basis to justify the transfer of personal data to a third country authority for the
purpose of massive and indiscriminate surveillance" [emphasis added] (see Executive Summary).
11
4.
Article 47 of the Charter
39. The question referred by the High Court of Ireland for a preliminary ruling mentions
also Article 47 of the Charter. However, no further explanations are given in the
Request for a preliminary ruling about the relevance of Article 47 of the Charter here. 14
40. Article 47 of the Charter is framed in terms of the "
right to an effective remedy before a
tribunal", the right to "
a fair and public hearing within a reasonable time by an
independent and impartial tribunal" and the right to be "
advised, defended and
represented". These rights belong to anyone "
whose rights and freedoms guaranteed by
the law of the Union are violated".
41. Taking into account the fact that according to the High Court of Ireland "[w]
hile there is
oversight on the part of the Foreign Intelligence Services Court in the US, this is done
on an ex parte and secret basis. EU citizens have no effective right to be heard on the
question of the interception and surveillance of their data" [emphasis added],15 it seems
that the rights of EU citizens to a public hearing and to be heard on the question of the
interception and surveillance of their data
are not complied with in the US judicial
system.
42. Clearly, the existence or not of a right to an effective remedy and to a fair trial abroad is
one of the circumstances surrounding a data transfer operation or set of data transfer
operations which are to be taken into account when assessing the adequacy of the level
of protection afforded by a third country. This is all the more evident from the wording
of Article 25(2) of Directive 95/46/EC according to which, when conducting such an
assessment, "
particular consideration shall be given to …
the rules of law, both general
and sectoral, in force in the third country" [emphasis added].
43. It would stand to reason that this would also be a circumstance to be taken into
consideration by the data protection authorities when they conduct their investigations
14
It appears that it was agreed to amend the initial draft question (which only mentioned Articles 7 and 8 of
the Charter) to include a reference also to Article 47 of the Charter, at a further post-judgment hearing
held on 2 July 2014: see footnote 4 inserted in the question referred in paragraph 22, on page 13, of the
Request for a preliminary ruling of the national court. As a result, it seems that the discussion, in the
Request for a preliminary ruling, is still limited to the previous analysis of Articles 7 and 8 on which the
initial draft question was first based, without explaining further the relevance of Article 47.
15
See paragraph 7(b) of the Request for a preliminary ruling.
12
into a claim lodged by a person concerning a serious interference with the rights to the
protection of personal data.
44. In addition, it could also be argued that the national data protection authorities must
themselves ensure the right to an "
effective remedy" by not refusing to investigate such
matters out of hand. Even though national data protection authorities may not strictly be
a "
tribunal" within the meaning of Article 47 of the Charter, the meaning and scope of
this right must, according to Article 52(3) of the Charter, nevertheless be the same as
the corresponding right guaranteed by Article 13 of the Convention which relates to an
effective remedy "
before a national authority".16
45. The European Parliament thus understands the reference made by the High Court of
Ireland to Article 47 of the Charter in the light of the above considerations.
B.
Directive 95/46
46. In the light of all the foregoing considerations concerning the correct interpretation of
Articles 7, 8, 47 and 52 of the Charter, the European Parliament will now examine in
detail the provisions of Directive 95/46, and in particular Articles 25 and 28 thereof.
47. According to the settled case-law,17 the proper interpretation of provisions of EU
legislation must be based not only on their wording but also the context in which they
occur and the objectives pursued by the rules of which they are part. The Parliament
will therefore now follow this method of interpretation below:
1.
Purpose of Directive 95/46 - Member States to protect fundamental rights
48. The object of Directive 95/46 is stated in Article 1(1) to be that "
Member States shall
protect the fundamental rights and freedoms of natural persons and in particular their
right to privacy with respect to the processing of personal data" [emphasis added].
16
According to the Explanations drawn up under Article 52(7) of the Charter as a way of providing
guidance in the interpretation of the Charter (OJ 2007 C 303, p. 17.), the first paragraph of Article 47 of
the Charter is based on Article 13 of the Convention.
The Court may also wish to note, in this regard, that although the English language versions of both the
Charter and Convention refer to a right to an "
effective remedy", the German language version of Article
13 of the Convention refers to "
Recht auf eine wirksame Beschwerde", whereas Article 47 of the Charter
refers, in German, to "
Recht auf einen wirksamen Rechtsbehelf."
17
See the judgment of the Court (Grand Chamber) dated 19 December 2013 in Case C-84/12,
Koushkaki,
EU:C:2013:862, paragraph 34 and the case-law cited.
13
49. In this regard, the first, tenth and eleventh Recitals of the Directive refer to fundamental
rights recognized not only in Union law, but also in the constitution and laws of the
Member States, in the Convention and also in the Council of Europe Convention of
28 January 1981 for the Protection of Individuals with regard to Automatic Processing
of Personal Data. Recital 10 of the Directive specifies that "
the approximation of those
[national]
laws must not result in any lessening of the protection [the national laws]
afford but must, on the contrary, seek to ensure a high level of protection in the
Community" [emphasis added].
50. It is clear from the foregoing that all of the provisions of Directive 95/46 must therefore
be interpreted in accordance with settled principles on the protection of fundamental
rights in the Member States and must not result in any lessening of that protection.18
51. The powers conferred by the EU legislator on the Commission are intended to assist
Member States in implementing their own obligations under Union law, where uniform
conditions for implementation are needed.19 The powers conferred on the Commission
must not therefore preclude the primary obligation of the Member States to protect
themselves fundamental rights in accordance with the main object of the Directive.
2.
General structure of the Directive: Chapter IV on transfers and Chapter
VI on supervisory authorities
52. Directive 95/46 is divided into seven Chapters and the two main issues raised in the
present case are themselves dealt with in two entirely separate Chapters, that is to say,
on the one hand, Chapter IV on "
Transfer of personal data to third countries" and
Chapter VI on "
Supervisory authority and working party on the protection of
individuals with regard to the processing of personal data."
53. According to this scheme of the Directive, there is no "
hierarchical" legal relationship
between Chapter IV on transfers and Chapter VI on supervisory authorities. Nothing in
Chapter VI suggests that the provisions on supervisory authorities are subordinate in
any way to the separate provisions on transfers in Chapter IV.
18
See Cases C-465/00, C-138/01 and C-139/01
Österreichischer Rundfunk and Others, EU:C:2003:294,
paragraphs 68 to 70.
19
Cf. Article 291(2) TFUE.
14
54. If anything, quite the opposite is true, as Article 25(1), under Chapter IV of the
Directive, states explicitly from the outset that the rules on transfers are "
without
prejudice to compliance with the national provisions adopted pursuant to the other
provisions of this Directive" - which must be taken to include also the provisions in
Chapter VI on supervisory authorities.20
55. As such, the provisions in Chapter VI, including Article 28 on the powers of national
supervisory authorities, should not, according to the general structure of Directive
95/46, be circumscribed by the provisions on transfers in Article 25.
3.
Scheme of Article 25 of the Directive on "adequacy" - objective test
56. Article 25 of Directive 95/46 sets out a specific scheme for ensuring that personal data
is properly protected when being transferred to third countries, built on the concept of
the "
adequacy" of the level of protection in that third country.
57. In the first place, Article 25 of the Directive provides, in the first paragraph, that
transfers to a third country are permitted "
only if" - and without prejudice to compliance
with the national provisions adopted pursuant to the other provisions of this Directive,
the third country in question "
ensures an adequate level of protection".
58. Thus, the general rule is that personal data shall not be transferred to a third country.
The exception to this rule (to be interpreted strictly) is that personal data "
may" be
transferred to a third country "
only if" it ensures an adequate level of protection.
59. It is clear from the second paragraph of Article 25, that the assessment of the level of
"
adequacy" of protection in a third country is to be carried out in the light of "
all the
circumstances surrounding a data transfer", with "
particular consideration" being
given to certain factors also listed in the second paragraph, including the "
rules of law,
both general and sectoral, in force in the third country in question."
60. Pausing at this stage, it is evident that the assessment of the "
adequacy" of the level of
protection in a third country must be determined according to objective criteria, taking
into account a whole range of relevant factors. The objective existence of an "
adequate"
20
Indeed, the Court has already described Chapter IV of the Directive as "
a special regime, with specific
rules, intended to allow the Member States to monitor transfers of personal data to third countries." That
Chapter sets up a"
complementary regime" to the "
general regime" set up by Chapter II of that directive
concerning the lawfulness of processing of personal data: see Case C-101/01
Lindqvist, EU:C:2003:596,
paragraph 63. Chapter VI, on the contrary, is rather a general regime for the supervision of all provisions.
15
level of protection in a third country is thus itself a condition
sine qua non for the
transfer of data to third countries.
61. Paragraph 3 of Article 25 is also of central importance to the present case in so far as it
provides that "
The Member States and the Commission shall inform each other of cases
where they consider that a third country does not ensure an adequate level of protection
within the meaning of paragraph 2." This clearly demonstrates that both the Member
States and the Commission are to play an equal role in identifying cases where a third
country does not ensure an adequate level of protection. The Member States and the
Commission must therefore work together, in the interests of protecting the fundamental
rights of individuals, to check the level of adequacy in each third country. Naturally,
this implies a mutual duty of sincere co-operation between the Member States'
authorities and the Commission: see Article 4(3) TEU.21
62. In order for paragraphs 1 to 3 of Article 25 to have an "
effet utile", we must infer that
the level of adequacy in a third country is a "
dynamic" situation which can change,
depending on a whole range of factors, over time: the Member States and the
Commission must therefore be constantly alert to any changes of circumstances which
may require a re-evaluation of the level of "
adequacy". In no way, can an assessment of
"
adequacy" be "
fixed in time" and then maintained indefinitely, irrespective of any
subsequent changes of circumstances which show that there is in fact no longer an
adequate level of protection. The over-riding purpose of this scheme is always to avoid
that data is transferred to a third country which does not provide an adequate level of
protection, in violation of the fundamental right to protection of personal data.22
63. Finally, it is important to underline the fact that the power conferred by the EU
legislator on the Commission in paragraph 6 of Article 25 of the Directive to adopt an
"
adequacy" finding is itself expressly made subject to the prior condition that there is an
"
adequate" level of protection "
within the meaning of paragraph 2".
64. Article 25(6) of the Directive must not therefore be construed in isolation, but rather as
merely one part (in fact the very last part, in order) of a detailed scheme on transfers to
21
This mutual duty of sincere co-operation can also be deduced from the provisions in Articles 29 and 30 of
the Directive on the "
Working Party on the Protection of Individuals with regard to the processing of
personal data", which is composed of a representative of the supervisory authority of each Member State,
a representative of the authority established for the EU institutions and of a representative of the
Commission. Under Article 30(1)(b), this Article 29 Working Party shall, inter alia, "
give the Commission
an opinion on the level of protection in the Community and in third countries" and under Article 30(1)(c)
the Working Party can "
advise the Commission... on any additional or specific measures to safeguard the
rights and freedoms of natural persons with regard to the processing of personal data...".
22
Cf. Judgment of the Court (Grand Chamber) dated 21 December 2011 in Joined Case C-411/10 and C-
493/10
N.S. and Others, EU:C:2011:865, paragraphs 81, 86 and 91.
16
third countries calibrated precisely to prevent violations of fundamental rights. As the
Court has already stated: "
Article 25 of Directive 95/46 imposes a series of obligations
on Member States and on the Commission for the purposes of monitoring transfers of
personal data to third countries in the light of the level of protection afforded to such
data in each of those countries" [emphasis added].23
4.
Wording of Article 25(6) of the Directive - meaning of "measures necessary
to comply"
65. It is against this legal background (set out in paragraphs 1 to 3 of Article 25), that we
may now consider how to properly interpret the final sentence of paragraph 6 of Article
25 of the Directive which states that "
Member States shall take the measures necessary
to comply with the Commission's decision."
66. Whilst it may well be expected that the Member States will, in the ordinary course of
events, usually comply with such decisions of the Commission, it must nevertheless be
admitted, as a matter of legal principle, that the Member States can, lawfully, decline to
comply with the Commission's decision where other provisions of Directive 95/46 - or a
provision of primary law, such as the Charter - require that the over-riding need to
protect fundamental rights should be given precedence.
67. This will certainly be the case where there is evidence to establish a serious interference
of the rights protected by Articles 7 and 8 of the Charter.
68. According to settled case-law, the Member States must make sure they do not rely on an
interpretation of an instrument of secondary legislation which would be in conflict with
the fundamental rights protected by the European Union legal order or with the other
general principles of Union law: see, to that effect, the Judgment of the Court (Grand
Chamber) dated 21 December 2011 in Joined Case C-411/10 and C-493/10
N.S. and
Others, EU:C:2011:865 (hereafter the "N.S." case), paragraph 77.24
23
See Case C-101/01
Lindqvist, EU:C:2003:596, paragraph 65.
24
There is a clear parallel between the present case, involving a finding of the Commission that it is "
safe"
to transfer personal data to a third county, on the one hand, and the N.S case, involving a finding by a
Member State that it is "
safe" to transfer an asylum seeker to another Member State, on the other hand.
Although the legal and factual background is obviously very different in the case of the protection of
personal data (under Article 8 of the Charter) and the protection of asylum seekers (under Article 4 of the
Charter), there is a common underlying legal principle in both cases that, as stated by the Court in
paragraph 99 of the N.S. case, an interpretation of EU secondary legislation which relies on a "
conclusive
presumption" that fundamental rights will be observed (be it by a Member State, by the Commission or
17
69. Secondary EU legislation should not require a "
conclusive presumption" of compliance
with fundamental rights, as it could then itself be regarded as undermining the
safeguards which are intended to ensure compliance with fundamental rights by the
European Union and its Member States.25
70. With this in mind, the Parliament considers that Directive 95/46 does not impose, in
Article 25(6), any such "
conclusive presumption" of compliance with fundamental
rights in relation to the Commission's finding on the adequacy of the level of protection
in a third country. Thus, Article 25(6) of Directive 95/46 should not be interpreted as
undermining the safeguards - particularly in Article 28(1) of the Directive and Article
8(3) of the Charter - which are intended to ensure compliance with fundamental rights.
71. Evidence must therefore be admitted, before the national supervisory authorities, to
determine whether personal data is truly being transferred to a "
safe" third country.26
72. In these circumstances, the presumption underlying Article 25(6) of Directive 95/46,
that the transfer of personal data to a third country will comply with fundamental rights,
"
must be regarded as rebuttable".27
73. In view of the object and general structure of Directive 95/46 and the specific scheme of
Article 25, it is clearly not "
necessary", in the particular sense of this word used in
paragraph 6 of Article 25, for Member States - including national supervisory
authorities - to comply with an adequacy decision of the Commission where there is
evidence of a serious interference of fundamental rights, protected by Articles 7, 8 and
47 of the Charter, by the third country in question. "
Compliance" with the Commission's
decision in these circumstances would in fact (unnecessarily) defeat the prime object of
Directive 95/46 itself as it would, in effect, prevent Member States from ensuring
themselves, in accordance with the Charter, the Convention and their own constitutional
traditions,28 effective protection of the fundamental rights of individuals.
by a third country) is "
incompatible with the duty of the Member States to interpret and apply [secondary
EU legislation]
in a manner consistent with fundamental rights."
25
See paragraphs 99 and 100 of the N.S. case.
26
See, by analogy, paragraph 101 of the N.S. case.
27
See, by analogy, paragraph 104 of the N.S. case.
28
It should be recalled that the High Court of Ireland already declared that "
if the matter were to be judged
solely by reference to Irish constitutional law standards, the Commissioner could not properly have
exercised his s.10(1)(a) powers to conclude in a summary fashion that there was nothing further to
investigate" [emphasis added]: see paragraphs 14 and 15 of the Request for a preliminary ruling.
18
5.
Wording
of
Article
28(1)
of
the
Directive
-
meaning
of
"complete independence"
74. Article 28(1) of Directive 95/46 provides that the national supervisory authorities shall
act with "
complete independence"
in exercising the functions entrusted to them.
75. In this regard, Recital 62 of the Directive declares that the establishment in Member
States of supervisory authorities, exercising their functions with "
complete
independence"
, is an
"
essential component" of the protection of individuals with regard
to the processing of personal data. Furthermore, Recital 63 adds that such authorities
must have the
"
necessary means"
to perform their duties, including powers of
investigation and intervention, particularly in cases of complaints from individuals.
76. It will be recalled that the Court has already interpreted the words "
with complete
independence" in Article 28(1) of Directive 95/46, taking their usual meaning into
account. In relation to a public body, the term "
independence" normally means a status
which ensures that the body concerned can act "
completely freely, without taking any
instruction or being put under any pressure": see the judgment of the Court (Grand
Chamber) dated 9 March 2010 in Case C-518/07,
Commission v Germany
EU:C:2010:125, paragraph 18. Indeed, the Court declared, in paragraph 23 of that
judgment that the supervisory authorities provided for in Article 28 of Directive 95/46
are therefore "
guardians" of the fundamental rights and freedoms with respect to the
processing of personal data, and their existence in the Member States is considered as
an "
essential" component of the protection of individuals with regard to the processing
of personal data.
77. Furthermore, the Court has recently confirmed that the requirement that compliance
with EU rules on data protection is subject to control by an independent authority
"
derives from the primary law of the European Union", inter alia Article 8(3) of the
Charter and Article 16(2) TFEU: see Judgment of the Court (Grand Chamber) dated 16
October 2012 in Case C-614/10,
Commission v Austria, EU:C:2012:631, paragraph 36.
See also paragraph 68 of the
Digital Rights Ireland case.
The High Court of Ireland also refers to a ruling of the German Constitutional Court in the
Anti-
Terrorism Database case dated 24 April 2003: see paragraph 10 of the Request for a preliminary ruling.
19
78. It should also be recalled that the European Commission is not itself a supervisory
authority, within the meaning of either Article 8(3) of the Charter or Article 28(1) of
Directive 95/46. To make the supervisory authorities "
absolutely bound" by decisions
adopted by the Commission would therefore, inevitably, constitute a limit on the
"
complete independence" of those national authorities.
79. The wording, scheme and purpose of Directive 95/46 all therefore clearly point to one
conclusion on the interpretation of its provisions: the powers of supervisory authorities
to investigate complaints of individuals in "
complete independence", under Article 28 of
Directive 95/46, must be given a broad interpretation, in accordance with Article 8(3) of
the Charter, and must not therefore be limited by the powers conferred by the EU
legislator on the Commission, under Article 25(6) of this Directive, to find that there is
an "
adequate" level of protection in a third country.
80. In effect, the present case poses an old question in a new context: in the digital age,
who
will guard the guardians? ("
quis custodiet ipsos custodes?"). The Commission may well
be the "
guardian" of the Treaties but the national supervisory authorities are themselves
the "
guardians" of the fundamental rights and freedoms with respect to the processing
of personal data. It is only fitting therefore that the latter must be permitted to
investigate complaints, in complete independence, in the overriding interests of
protecting individuals with regard to the processing of personal data.
C. National law
81. According to Article 51(1) of the Charter, the provisions of the Charter are addressed to
the Member States only when they are implementing Union law.
82. There is absolutely no doubt that the Irish legislation in question in this case - that is to
say the Data Protection Act 1988, in its current form - was adopted in implementation
of Directive 95/46.29 As a result, the provisions of the Charter are clearly addressed to
Ireland in this particular case, in accordance with Article 51(1) of the Charter.
29
The High Court of Ireland proceeds on this basis: paragraph 17 of the Request for a preliminary ruling.
The Data Protection (Amendment) Act 2003 was adopted by the Oireachtas (the Irish Parliament) to give
effect to Directive 95/45: see http://www.irishstatutebook.ie/2003/en/act/pub/0006/index.html.
Section 12 of the Data Protection (Amendment) Act 2003 substituted a new text for the previous version
of Section 11 of the Data Protection Act 1988 to specifically require the Data Protection Commissioner to
determine any question about the adequacy of the level of protection in a third country in accordance with
a "
Community finding" of the Commission, adopted under Article 25(6) of Directive 95/46.
20
83. In these circumstances, it should normally be possible to interpret Irish implementing
legislation, that is to say the current version of the Data Protection Act 1988, in
accordance with the proper interpretation of Directive 95/46, in compliance with the
Charter. This is though a matter for the national court to establish, as far as possible.30
84. However, should it not prove possible for the national court to interpret Irish legislation
in accordance with Directive 95/46 and the Charter, then it would follow that the High
Court of Ireland is under a duty to give full effect to the provisions of EU law, including
the Charter, if necessary refusing of its own motion to apply any conflicting provision
of national legislation, even if adopted subsequently, without requesting or awaiting the
prior setting aside of such a provision by legislative or other constitutional means.31
30
See Cases C-465/00, C-138/01 and C-139/01
Österreichischer Rundfunk and Others, EU:C:2003:294,
paragraph 93. See also Case C-106/89,
Marleasing, EU:C:1990:395, paragraph 8.
31
See the judgment of the Court (Grand Chamber) dated 26 February 2013 in Case C-617/10,
Åkerberg Fransson, EU:C:2013:105, paragraph 45.
21
V.
CONCLUSIONS
85. In the light of the above, the European Parliament respectfully submits that the
questions referred to the Court of Justice by the High Court of Ireland should be
answered as follows:
Articles 25 and 28 of Directive 95/46 must be interpreted, in conformity with Articles 7
and 8 of the Charter, as meaning that a national supervisory authority, established
under Article 28(1) of Directive 95/46, is not absolutely bound by a finding of the
Commission, adopted under Article 25(6) of Directive 95/46, where there is evidence
that the transfer of personal data to a third country is in infringement of the right to
privacy, the right to the protection of personal data and the right to an effective remedy
contained in Articles 7, 8 and 47 of the Charter.
The national supervisory authority, acting in complete independence under Article
28(1) of Directive 95/46 and Article 8(3) of the Charter, must conduct his or her own
investigation into alleged serious infringements of the rights contained in Articles 7 and
8 of the Charter in the light of all available evidence, in the over-riding interest of
protecting the personal data of individuals, in conformity with the object of Directive
95/46 and Articles 7, 8 and 47 of the Charter.
Antonio CAIOLA
Dominique MOORE
Mirena PENCHEVA
Agents of the European Parliament