Are data protection supervisors getting super powers?
30 June 2014
In yet another data protection high profile case, this time involving Facebook and Safe Harbor, on 18 June the Irish High Court (the Court) issued a judgement referring a data protection query to the Court of Justice of the European Union (the CJEU).
The specific issue regarded one of 23 complaints submitted to the Commissioner by an Austrian law student, Mr Schrems, against Facebook Ireland.
In his complaint, Mr Schrems maintained that the Snowden revelations had demonstrated that there was no meaningful protection in the US law or practice in respect of data transferred by Facebook Ireland to Facebook US under this latter's Safe Harbor certificate.
In its judgement, the Court produced several very relevant and interesting statements, including:
the Court assumed that the Snowden revelations are true and that the US has, at least, the ability to monitor global communications. It is important to note that the Court did recognise that the Irish Data Protection Commissioner (the Commissioner) had enquired Facebook Ireland on its data disclosing practices following the Snowden revelations, and the conclusion was that Facebook Ireland had appropriate data disclosing procedures
the Court also referred that monitoring global communications is essential for the US to discharge its global security responsibilities.
the Court said that the mere fact that such capabilities exist is sufficient to consider that there is an interference with the rights to privacy and data protection, and there is no need to demonstrate effective monitoring of individuals' global communications or harm thereof. In fact, re Mr Schrems specific complaint, the Commissioner had not found any evidence pointing to his personal data having been disclosed to the US authorities.
finally, the Court considered that individuals are entitled to object to their personal data being transferred to jurisdictions which do not protect them adequately, namely against interference from public authorities.
Taking all of the above into consideration, and interpreting the rights to privacy and data protection in accordance with the CJEU decision invalidating the Data Retention Directive, the Court asked the CJEU whether the data protection supervisors such as the Commissioner could disregard the EU Commission's decision recognising the US Safe Harbor framework.
If the CJEU acknowledges the existence of this "right", data protection supervisors will in practice have the power to disregard White List Commission decisions, which could have significant business and diplomatic impact.
This article was written by Robert Bond.
For more information contact Robert on +44 (0)20 7427 6660 or email@example.com