Schrems v. Irish Data Protection Commissioner: some further thoughts

As the dust begins to settle after the headline-grabbing Advocate General opinion in the Schrems v. Irish Data Protection Commissioner it may be worth considering some of the other potential implications arising from that opinion.

Of course, the AG opinion is not the final word on this matter. That will rest with the judgement of the Court of Justice of the European Union (CJEU). And the CJEU is not bound to follow this opinion. So there may well be life left in Safe Harbor (or Safe Harbor 2.0) yet. But if the CJEU follows suit, what else could this mean?

• The Irish Data Protection Commissioner had initially refused Mr Schrems’ complaint on the grounds it was “frivolous or vexatious” as he could not evidence that his information specifically had been subject to surveillance by US law enforcement agencies.  Once the CJEU has made its decision, the complaint will be passed back to Ireland – could the same conclusion be reached as Mr Schrems has still not provided this evidence?  Given the conclusions of the Irish High Court in making its referral to the CJEU this seems unlikely – they believed the PRISM programme gives rise to a “significant issue”; but you never know.
• If the CJEU determines, as seems likely, that the independence of local data protection supervisory authorities means they are not necessarily bound to follow decisions of the European Commission, what other alternative approaches could local authorities adopt?  Could we see some local authorities determining that other data flows do not provide an adequate level of protection for European personal data?  Or perhaps the Article 29 Working Party will need to take more of a lead?
• AG Bot’s critique of Safe Harbor is certainly detailed.  In essence, AG Bot identifies two fundamental flaws with Safe Harbor:
  • the rights granted to US law enforcement agencies to access personal information held by technology providers in the US are too broad – and, as a result, the restriction of the Safe Harbor principles in such circumstances disproportionate; and
  • the lack of an independent authority in the US with a sufficiently broad remit to monitor and enforce compliance with the requirements for protection and security of personal data – the Federal Trade Commission’s responsibility is limited to commercial practices but does not oversee the activities of US law enforcement agencies.
• Clearly the “Snowdon revelations” have brought concerns regarding Safe Harbor to the forefront, but these two “flaws” are products of the structure of Safe Harbor.  Will the CJEU really follow suit in reaching a view that Safe Harbor has been “invalid” for the past 15 years?  And does the same risks actually apply to model clauses or other data transfer solutions?
• The lack of an independent US data protection authority is significant in its own right; will this Opinion put pressure on the EU Commission to require such a body as part of the renegotiation of “Safe Harbor 2.0”?  Will it put pressure on the US to press ahead with “rights for EU citizens”; other subject currently under discussion.  What is clear, is that these negotiations have just received a renewed sense of urgency.

Some food for thought while we await the CJEU decision.