Press release welcoming the increased budget for 2017 for the OIC, which is a 59% increase in the budget. In the press release, this increased budget is directly linked by the Commissioner to both the GDPR and the expanding role of the Irish DPA under that regime, where it becomes responsible for” protecting the fundamental privacy rights of EU citizens, a core part of which is the regulation of a large number of leading internet multi-nationals that have located European operations in Ireland.”
On 31 May 2016, the Data Protection Commissioner (DPC) commenced proceedings in the Irish High Court. The purpose of the proceedings is to seek a reference to the Court of Justice of the European Union (CJEU) in relation to the “standard contractual clauses” mechanism under which, at present, personal data can be transferred from the EU to the US.
While the DPC does not seek any specific relief against Mr Schrems or Facebook Ireland Limited (FB), both of those parties were joined to the proceedings because the outcome of the case will impact on the DPC’s consideration of Mr Schrems’ complaint against Facebook (see further below). By joining Mr Schrems and FB to the proceedings, the DPC also ensured that those parties would have an opportunity (but not an obligation) to participate in the proceedings.
The purpose of this note is to explain the background to the case, the reasons why the DPC has taken the case and the current position in the High Court as of September 2016.
On June 30, 2016, representatives of the French Parliament reached a common position of the French “Digital Republic” bill. This new Law that should normally be adopted in October 2016 amend significantly various aspects of the French Data Protection Act.
More specifically, a Joint Committee of both French legislative chambers (National Assembly and Senate) approved amendments that comply with the latest jurisprudence (the “Digital Rights” case) of the Court of Justice of the European Union (CJEU) and anticipates obligations as set out by EU General Data Protection Regulation (GDPR) in article 13.2.a. The amendments include the obligation for companies to inform individuals of the data retention period. If companies are unable to facilitate this information, they are obliged to inform of the criteria used to determine that period. At the present situation in France businesses are not required to specify data retention periods in their privacy notices.
The Office of the Data Protection Commissioner issued a press release announcing that:
“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”
The Office of the Data Protection Commissioner (“ODPC”) welcomes the decision of the European Court of Justice in the case of Bara & Oths C-201/2014 and notes the strong trend emanating from recent judgments whereby the Court has interpreted the Data Protection Directive so as to extend and to re-enforce the protection of the rights of individuals. The Bara judgment which focused upon a public sector data sharing arrangement re-iterates the importance of informing the data subject about the processing of their personal data as it affects the exercise by the data subjects of their right of access to their personal data, their right to rectify their data being processed and their right to object to the processing of data.
An individual may expect public sector bodies to share their personal data where it is essential and necessary to provide him/her with the services sought and the ODPC fully support the aim of developing more efficient and customer centric public services in this regard. However, this must also be balanced with the fact that individuals need to be informed as to how their personal information is used and for what purpose, who has access to it and how the sharing of that information will impact upon them. Therefore, whilst data sharing can bring benefits in terms of efficient delivery of public services it must be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason.
As such the ODPC recommends that all data sharing arrangements in the public sector should:
- Have a basis in primary legislation;
- Be made clear to individuals that their data may be shared and for what purpose;
- Be proportionate in terms of their application and the objective to be achieved;
- Have a clear justification for individual data sharing arrangements;
- Share the minimum amount of data to achieve the stated public service objective;
- Have strict access and security controls; and
- Ensure secure disposal of shared data.
It is important to restate from the outset that, subject to the exceptions permitted under the Data Protection Acts 1988 – 2003 (the DPA), all processing of personal data must comply with the principles of data quality as set out in Section 2 and with one of the criteria for making data processing legitimate in Section 2(2A) (and Section 2(2B) if sensitive personal data is involved). In undertaking a review of all current and future data sharing arrangements, public sector bodies should ensure that the following best practice guidelines are considered and applied as appropriate.
Maciej Kawecki, Bureau of the Inspector General for Personal Data Protection, Poland
Dariusz Kloza, Vrije Universiteit Brussel, Belgium
While the work on the General Data Protection Regulation slowly comes to an end, recently causing both self-reflection and worldwide heated debates on its prospects, there is no doubt two particular judgments of the Court of Justice of the European Union from October 2015 gained no less attention. Obviously we have in mind judgements in widely-debated Schrems and in yet-not-so-popular Weltimmo cases, whose influence on the regulation of personal data protection in Europe and beyond is unprecedented. This influence is at least twofold.
First, both judgments have abruptly changed the landscape of cross-border data protection relationships. In Schrems, the Court annulled Commission’s Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles. This has forced the majority of American data controllers, who had self-certified to the US Department of Commerce their adherence to these principles, to search for another premise for transfers of personal data, such as binding corporate rules, model contractual clauses or simply individual’s consent. In Weltimmo, the Court – ‘in construing the coordinates of human rights protection in the digital age’ (as Zanfir puts it) – has further extended the range of competences of national supervisory authorities. They are now authorised, so to speak, to exercise supervisory powers over even those data controllers and processors who do not fall into their territorial jurisdiction due to lack of a ‘registered office or branch’ therein, but exercise ‘through stable arrangements in the territory of that Member State, a real and effective activity’ (§41).
Second, although this will not be any obvious conclusion from reading the respective texts of these judgments, these two cases have reinforced cooperation between European data protection authorities. This development particularly interests the PHAEDRA project consortium.
In Weltimmo, the Court made one of not-so-many such strong interpretations of Article 28(6) of Directive 95/46 (i.e. ‘supervisory authorities shall cooperate…’). The judges in Luxembourg argued that cooperation is ‘necessary in order to ensure the free flow of personal data in the European Union, whilst ensuring compliance with the rules aimed at protection of personal data of natural persons’ (§53) and even spoke about ‘the duty of cooperation laid down in Article 28(6)’ (§57; emphasis ours). But what struck our attention is that the Court not only made a distinction between investigative and adjudicative/enforcement jurisdictions (see the writings of Svantesson on this matter), but also reaffirmed that enforcement cooperation is an obligation. A supervisory authority ‘may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question’ (§57). However, in case ‘the law of another Member State is applicable, [the authority] […] must […] request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits’ (§57; emphasis ours).
A reader would easily note the term ‘must’ was used in the context of the ‘duty of cooperation’. The fulfilment thereof, in the still-old regime of Directive 95/46, is rather problematic. The list of troubles is long, but one of the most pertinent is the absence of explicit and detailed legal provisions on cooperation at the European Union level or at a domestic one. Can supervisory authorities rely solely on Article 28(6)? This question should rather be rephrased as whether this provision had a vertical direct effect. Were it found unconditional, sufficiently clear and precise, its direct applicability could mean, inter alia, that an authority from one Member State must request its counterpart from another Member State to cooperate on a cross-border case and the latter must not refuse. (The Weltimmo decision tends to confirm so. The judgement concludes with a sentence that a supervisory authority ‘should […] request the supervisory authority within the Member State whose law is applicable to act’.) Or, speaking more bravely, a data subject might demand her supervisory authority to cooperate with the counterpart of the latter and none of them might refuse either.
Few readers would disagree that the Schrems judgment does not concern any aspect of cooperation between supervisory authorities. Yet, its ramifications simply constitute another impeccable example of the need to cooperate between supervisory authorities on a “general” or “abstract” level. (While in Weltimmo we analysed enforcement cooperation, this does not exhaust the range of cooperation activities supervisory authorities may engage in.) After each important data protection judgement arriving from Luxembourg – be it Digital Rights Ireland, Costeja or Schrems – the necessity to develop a common position both on the forum of the Article 29 Working Party and by all and every supervisory authority forced them to act. Concerning the latest ruling, in its statement of 16 October 2015 the Working Party directly indicated ‘it is absolutely essential to have a robust, collective, and common position on the implementation of the judgment’ (emphasis ours). A reader would easily note a plea for more unity.
Weltimmo and Schrems judgements are yet another set of decisions that have unprecedented consequences for the data protection landscape in Europe and beyond. The former case underlined both the significance of enforcement cooperation and the duty to cooperate between supervisory authorities. The consequences of the latter case once again forced these authorities to speak with one voice. In our opinion, both judgements reinforced cooperation mechanisms and pleaded towards their efficiency. Using the narrative of human rights, such efficiency is a means of practical and effective protection of personal data. What is now left on the agenda is to ensure efficiency of cooperation between supervisory authorities under the future regime of General Data Protection Regulation. Weltimmo and Schrems remain instructive here.
The issues dealt with in the judgement are complex. While they will require careful consideration, what is immediately clear is that the Court has reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data. That is very much to be welcomed.
In articulating the level of responsibility that the national data protection authorities in each member state will bear, the judgement also clarifies the mechanisms by which data privacy rights must be protected by national data protection supervisory authorities, and the relationship between those authorities and the European Commission.
The judgement will now be considered by the Irish High Court, the High Court having referred a number of questions to the CJEU in relation to the “safe harbour” scheme in July 2014. I immediately instructed the DPC legal team this morning to take whatever actions are necessary to bring the case back as soon as practicable before the Irish High Court. The High Court has listed the matter for Tuesday 20 October at 10.15am.
In declaring the old “safe harbour” rules invalid, however, the significance of the judgement extends far beyond the case presently pending in Ireland. In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgement can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”
See also the Statement from Data Protection Commissioner, Helen Dixon in respect of High Court Case 2013/765 JR – Schrems of 20 October 2015, (https://www.dataprotection.ie/viewdoc.asp?Docid=1498&Catid=66&StartDate=1+January+2015&m=n%29) which states “I welcome today’s ruling from Judge Hogan which brings these proceedings to a conclusion. My Office will now proceed to investigate the substance of the complaint with all due diligence.” This refers to the High Court of Ireland judgement Schrems -v- Data Protection Commissioner.