Presentation is loading. Please wait.

Presentation is loading. Please wait.

DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC.

Similar presentations


Presentation on theme: "DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC."— Presentation transcript:

1 DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC

2 Background to Schrems v DPC Increasing prominence of data protection law in Europe. Lengthy and fractious negotiation of General Data Protection Regulation. Articles 7 and 8 of the Charter on Fundamental Rights. Robust judgments of the Court of Justice of the European Union – Google Spain, Digital Rights Ireland. Snowden revelations – Project PRISM.

3 Safe Harbor and Schrems v DPC I. Overview of Safe Harbor II. The High Court’s Decision in Schrems v DPC III. The Decision of the Court of Justice of the European Union IV. Practical Effects: Implications for International Data Transfer V. Beyond Safe Harbor

4 I. Overview of Safe Harbor Commission Decision 2000/520, 26 July 2000, under Article 25(6), Data Protection Directive. European Commission and US Department of Commerce. Transfer of data from EU to US. Safe Harbor privacy principles – corresponded to principles under Data Protection Directive. Set of FAQs. Self-certification system.

5 The Safe Harbor Privacy Principles Notice - Inform individuals as to purpose etc. Choice – Allow opt out. Onward Transfer – Disclosure to 3 rd parties. Security – Duty to protect against loss, misuse, etc. Data Integrity – Processing must be relevant to purpose of collection/authorisation. Access – Individual right to access personal data. Enforcement – Effective mechanisms.

6 II. The High Court’s Decision in Schrems v DPC [2014] IEHC 310 Facts: Privacy campaigner Maximillian Schrems. Facebook Ireland is data controller for European users of Facebook service. Mr Schrems’ 23 complaints to Irish Data Protection Commissioner. Complaint 23: that his data was not secure under Safe Harbor in light of Snowden allegations. DPC rejects complaint as ‘frivolous and vexatious’ on basis he is bound by Safe Harbor. Mr Schrems initiates judicial review proceedings.

7 II. The High Court’s Decision in Schrems v DPC Holding: High Court, Hogan J. Makes preliminary reference of questions to Court of Justice of European Union. Findings of fact:  “I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data. Indeed, in the wake of the Snowden revelations, the available evidence presently admits of no other realistic conclusion.” [para. 13]

8 II. The High Court’s Decision in Schrems v DPC Locus Standi: Mr Schrems entitled to invoke provisions of Irish Constitution, though not resident in Ireland. Findings on constitutionality of mass State surveillance. Right to privacy and right to inviolability of dwelling. Links to German basic law.  “One might accordingly ask how the dwelling could in truth be a "place of repose from the cares of the world" if, for example, the occupants of the dwelling could not send an email or write a letter or even conduct a telephone conversation if they could not be assured that they would not be subjected to the prospect of general or casual State surveillance of such communications on a mass and undifferentiated basis.” [para. 54]

9 II. The High Court’s Decision in Schrems v DPC Reference for preliminary ruling by CJEU. (1) Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding? (2) Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?

10 III. Decision of the Court of Justice of the European Union Case C-362/14 Schrems v Data Protection Commissioner EU:C:2015:650 Struck down two provisions of Safe Harbor decision. Invalidity of Safe Harbor programme necessarily followed. Article 1 Safe Harbor not compliant with Article 25(6) Data Protection Directive. No finding as to adequacy of data protection in US law. Need for “essential equivalence.” Safe Harbor principles subordinate to general law and national security measures.

11 III. Decision of the Court of Justice of the European Union Absence of real enforcement mechanisms for individuals. Compliance with Articles 7 and 8 of Charter of Fundamental Rights of the European Union. Requirement that derogations from general rules re personal data be strictly construed. Mass surveillance not compliant with Charter:  “In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.” [para. 94]

12 III. Decision of the Court of Justice of the European Union General comments on role of national supervisory authorities. Individuals entitled to bring complaints to national authorities re security of their data, even where Commission decision in place. Individual and national authorities must both have recourse to judicial remedies with view to making preliminary reference.

13 III. Decision of the Court of Justice of the European Union Article 3 Safe Harbor declared invalid. Purported to deny national supervisory authorities powers granted by Article 28 of Data Protection Directive. Article 25(6) does not grant Commission entitlement to abridge those powers. Backdrop of tension as to role of national supervisory authorities.

14 IV. Practical Effects: Implications for International Data Transfer Invalidity of Safe Harbor not surprising. Many organisations had contingency plans in place. Reliance on other provisions of Directive for international data transfer:  Standard contractual clauses  Binding corporate rules  Derogations:  Performance of contract  Establishment, exercise or defence of legal claims  Consent of the individual

15 V. Beyond Safe Harbor Privacy Shield – agreement in principle. Schrems sets parameters for agreement:  Need for general finding as to adequacy of legal protection.  Strict scrutiny of derogations from data protection rules.  Incompatibility of mass surveillance with Charter.  Significance of independence of national supervisory authorities.

16 Questions and Comments Welcome Andrea Mulligan BL  andrea.mulligan@lawlibrary.ie andrea.mulligan@lawlibrary.ie  086 3857328  Law Library, Four Courts, Dublin 7.


Download ppt "DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC."

Similar presentations


Ads by Google