23.09.2015

CJEU (Opinion of the AG): Schrems v Data Protection Commissioner (Safe Harbor invalid?)

CJEU (Opinion of Advocate General Bot) 23.09.2015, C-362/14 - Maximillian Schrems v Data Protection Commissioner
In today’s Opinion, Advocate General Yves Bot takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data. He considers furthermore that the Commission decision is invalid. 
Source: CJEU press release (pdf)

Questions referred:
Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC1 ) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/012 ), the provisions of Article 25(6) of Directive 95/46/EC3 notwithstanding?
Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?

Not yet published.
III – Conclusion
237. In the light of the foregoing, I propose that the Court should answer the questions referred by the High Court as follows:
Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
Update: Judgment to be delivered on October 6th 2015, 9:30.