Oral Speaking Notes of Maximillian Schrems

Similar documents
Notes provided by Brendan Van Alsenoy (KU Leuven). Addition by Max Schrems (mainly tweets included). Check against delivery.

THE HIGH COURT COMMERCIAL

Adequacy Referential (updated)

II. Statement of interest of the Applicants

Data Protection and privacy case-law Case law update (DPO meeting) 1

Recent Developments in EU Public Law. Scottish Public Law Group Annual Summer Conference 9 June 2014

ARTICLE 29 DATA PROTECTION WORKING PARTY

PROLAW Student Journal of Rule of Law for Development SECURING US-EU PERSONAL DATA FLOWS: A CRITICAL OUTLOOK ON THE RECENT AGREEMENTS

THE HIGH COURT. [2016 No P.] BETWEEN DATA PROTECTION COMMISSIONER! AND

EXECUTIVE SUMMARY. 3 P a g e

Children and Young People (Information Sharing) (Scotland) Bill. Response to the call for evidence. Alistair Sloan

Opinion 6/2015. A further step towards comprehensive EU data protection

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

EU Charter of Rights and ECHR: The Right to a Fair Trial. Professor Steve Peers School of Law, University of Essex

Council of the European Union Brussels, 1 February 2017 (OR. en)

Fundamental rights as general principles of law Eg Case 11/70 [1970] ECR 1125, Internationale Handelsgesellschaft.

AMENDMENTS EN United in diversity EN. European Parliament Draft motion for a resolution Claude Moraes (PE595.

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

LEGAL BASIS OBJECTIVES ACHIEVEMENTS


Article 1. Federal Data Protection Act (BDSG)

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT 4

ARTICLE 29 Data Protection Working Party

Developing a 'toolkit' for assessing the necessity of measures that interfere with fundamental rights Background paper

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

David Anderson QC Independent Reviewer of Terrorism Legislation Brick Court Chambers 7-8 Essex Street London WC2R 3LD

ORDER OF THE COURT OF FIRST INSTANCE (Second Chamber) 28 November 2005 * European Environmental Bureau (EEB), established in Brussels (Belgium),

Factsheet on the Right to be

JUDGMENT OF THE COURT (First Chamber) 1 February 2007 * APPEAL under Article 56 of the Statute of the Court of Justice, brought on 24 June 2005,

PARLIAMENT v COUNCIL AND COMMISSION. JUDGMENT OF THE COURT (Grand Chamber) 30 May 2006*

Official Journal of the European Union. (Legislative acts) DIRECTIVES

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

32000D0520. Official Journal L 215, 25/08/2000 P

THE EU CHARTER OF FUNDAMENTAL RIGHTS; AN INDISPENSABLE INSTRUMENT IN THE FIELD OF ASYLUM

Submission to the Foreign Affairs, Defence and Trade Committee on the New Zealand Intelligence and Security Bill

Irish Government Publishes Data Protection Bill 2018

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Association of the Councils of State and Supreme Administrative Jurisdictions of the European Union. Colloquium of Madrid June 2012.

COMMISSION IMPLEMENTING DECISION. of XXX

THE LEGAL FRAMEWORK FOR THE PROTECTION OF PERSONAL DATA IN INTERNATIONAL POLICE AND JUDICIAL COOPERATION. Matko Pajčić *

29 October 2015 Conference of the Independent Data Protection Authorities of the Federation and the Federal States

LIBE Committee Inquiry on electronic mass surveillance of EU citizens. Public Hearing, Strasbourg, 7 October 2013 Contribution of Peter Hustinx (EDPS)

Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit

ENVIRONMENTAL IMPACT ASSESSMENT OF PROJECTS RULINGS OF THE COURT OF JUSTICE

Supreme Court of the United States

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Horizontal Application of EU-Fundamental Rights. Prof. Dr. Bernd Waas

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

REGULATION OF INVESTIGATORY POWERS BILL SECOND READING BRIEFING

Conference of the Polish Presidency of the Council of the EU

JUSTICE REFORM ROMANIA

Guidance Note on the transposition and implementation of the EU Asylum Acquis. February 2014

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. on the right to interpretation and translation in criminal proceedings

Douwe Korff Professor of International Law London Metropolitan University, London (UK)

Robert Fearon and Company Limited v. Irish Land Commission. (Case 182/83) Before the Court of Justice of the European Communities ECJ

B. The transfer of personal information to states with equivalent protection of fundamental rights

1 of 7 03/04/ :56

Reports of Cases. JUDGMENT OF THE COURT (Second Chamber) 20 December 2017 *

Foster: Q&A Human Rights and Civil Liberties

8118/16 SH/NC/ra DGD 2

JUDGMENT OF THE COURT (Grand Chamber) 1 July 2008 (*) (Appeals Access to documents of the institutions Regulation (EC) No 1049/2001 Legal opinion)

EUROPEAN DATA PROTECTION SUPERVISOR

General Data Protection Regulation

Joint Select Committee on Human Rights Inquiry into the European Union (Withdrawal) Bill. The Law Society of Scotland s Response

JUDGMENT OF THE GENERAL COURT (Second Chamber) 7 June 2011 (*)

PE-CONS 71/1/15 REV 1 EN

CONSULTATION ON COLLECTIVE REDRESS GREEK MINISTRY OF JUSTICE

Statement for the European Parliament, Temporary Committee on the ECHELON interception system, meeting of Thursday, 22 March, 2001, Brussels.

THE EU S ATTEMPTS AT SETTING A GLOBAL DATA PROTECTION NORM

on the proposal for a Regulation of the European Parliament and of the Council concerning customs enforcement of intellectual property rights

SAFE HARBOR: STAYING ALIVE?

UNHCR s Oral Intervention at the Court of Justice of the European Union. Hearing of the case of El Kott and Others v. Hungary (C-364/11)

JUDGMENT OF THE COURT OF FIRST INSTANCE (Fourth Chamber, Extended Composition)

Joint Committee on the Draft Investigatory Powers Bill Information Commissioner s submission

JUDGMENT OF THE COURT 23 September 2003 *

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

1 The earlier stages are summarised in the Note from the Presidency to Coreper/Council, document 6582/10, of

EU Data Protection Law - Current State and Future Perspectives

60 th UIA CONGRESS Budapest / Hungary October 28 November 1, UIA Biotechnology Law Commission Sunday, October 30, 2016

Common ground in European Dismissal Law

The EU Charter, Environmental Protection, and Judicial Remedies

IN THE EUROPEAN COURT OF HUMAN RIGHTS. Application No /13. Big Brother Watch and others v. the United Kingdom

MAXIMILLIAN SCHREMS. -and- DATA PROTECTION COMMISSIONER Respondent OUTLINE SUBMISSIONS ON BEHALF OF THE RESPONDENT

RESTREINT UE/EU RESTRICTED

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

ECN RECOMMENDATION ON COMMITMENT PROCEDURES

Data Protection in the European Union: the role of National Data Protection Authorities Strengthening the fundamental rights architecture in the EU II

8557/16 SHO/ra 1 DGD 2

DRAFT OPINION. EN United in diversity EN. European Parliament 2016/0126(NLE) of the Committee on Legal Affairs

JUDGMENT OF THE COURT (Second Chamber) 22 December 2010 (*)

STATUTORY INSTRUMENT 2002 NO THE ELECTRONIC COMMERCE (EC DIRECTIVE) REGULATIONS Statutory Instruments No. 2013

P6_TA-PROV(2007)0347 PNR Agreement

Spring Conference of the European Data Protection Authorities, Cyprus May 2007 DECLARATION

THE FIFTH AMENDMENT OF THE CONSTITUTION LAW OF (English translation) ΓΕΝ (Α) L.94 ISBN NICOSIA

IN THE SUPREME COURT OF THE UNITED KINGDOM UKSC 2012/

IN THE EUROPEAN COURT OF HUMAN RIGHTS App No 58170/13 BETWEEN: BIG BROTHER WATCH & ORS - v - THE UNITED KINGDOM

ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

Social Media and the Protection of Privacy Jan von Hein

A. S. Uzlău C. M. Uzlău

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

Transcription:

Notes - Check against Delivery FOR THE EXCLUSIVE USE OF THE INTERPRETATION SERVICE OF OF THE COURT OF JUSTICE OF THE EU At the Oral Hearing on 24 th March 2015 in Case C-362/14: MAXIMILLIAN SCHREMS Applicant V. DATA PROTECTION COMMISSIONER Respondent AND DIGITAL RIGHTS IRELAND LIMITED Amicus curiae Oral Speaking Notes of Maximillian Schrems Pleading: Noel J. Travers, Senior Counsel, Bar of Ireland and Professor Dr. Herwig Hofmann, Rechsanwalt, Cologne Bar (Germany). With them, Mr. Paul O Shea, Barrister, Bar of Ireland. Instructed by: Mr. Gerard Rudden, Solicitor, Ahern Rudden Solicitors, 5 Clare Street, Dublin 2, Ireland. President, Members of the Court, Advocate General

2 I. Introduction 1. Mr. Schrems is a European Facebook user. He has complained about the transfer of his personal data by Facebook Ireland to Facebook in the USA. There, under US law, that data is subject to mass and indiscriminate general surveillance. We submit that such a form of mass surveillance is manifestly incompatible with the fundamental right to privacy and data protection for which Union law provides. Some of those who have submitted written observations, most notably the Commission, the DPC and the UK, appear to think that a finding under Article 25 of Directive 95/46 may override higher ranking EU law. We disagree and observe that the Commission s position is plainly at odds with that set out in its 2013 Communications, referred to in the Court s third set of questions. II. More serious breach here than in Digital Rights Ireland 2. In Digital Rights Ireland you held that indiscriminate retention within the EU of data provided for by Directive 2006/24 (the Data Retention Directive) was incompatible with the fundamental right to

3 privacy guaranteed by Union law, and annulled that Directive. We welcome that judgment. The principles it so clearly enunciates apply a fortiori to the far more egregious breach of the right to privacy involved in this case. 3. It involves surveillance that is manifestly incompatible under Articles 7 and 8 of the Charter - especially when taking into consideration that you held in Digital Rights Ireland that even limiting surveillance to a mere retention of data, and notwithstanding that the Data Retention Directive at issue imposed time limits and allowed citizens judicial redress, it was incompatible with Articles 7 and 8 of the Charter. Here, the relevant US surveillance laws lack all of these elements amounting to an unfettered surveillance of all personal data of non-us citizens. 4. The interference is so serious that it violates, as the European Parliament and Italy also submit, the essence of the right to privacy and data protection under the Charter. This is clear from the finding in Digital Rights Ireland, where you held (paragraph 39), that Data Retention Directive did not as such adversely affect the essence of those rights because it does not permit the acquisition of knowledge of the content of the electronic

4 communications. US surveillance does exactly that: it grants access to the content of all data. 5. US law allows, as the referring court has found, permits mass and undifferentiated surveillance by its public authorities to personal data on a casual or generalised basis, in circumstances where those authorities are not even required to provide objective justification. Critically, as the referring court has further found, the available access is neither based on considerations of national security nor on the prevention of crime specific to the individual. Moreover, the access is not attended by appropriate and verifiable safeguards. 6. It is difficult to conceive of a more serious violation of the essence of fundamental right in EU law to personal data privacy. It is manifestly more serious than the wide-ranging particularly serious interference identified and declared disproportional in Digital Rights Ireland (at paras 37 and 65). III. Validity of the so-called Safe Harbour Decision, Decision 2000/520

5 7. By finding adequacy in the light of these facts, the Decision 2000/520 violates both its own legal basis (Article 25 of Directive 95/46) and higher ranking Union law. I will address validity by reference to legal base in answering the Court s questions. Decision s Compatibility with Higher-ranking Union Law 8. Measures based on Directive 95/46 as in fact any measure taken by any EU institution must comply with EU fundamental rights, as explicitly confirmed in the Kadi case-law. Article 1(1) of Directive 95/46 specifies its objective as being to protect fundamental rights, particularly the right to privacy with regard to the processing of personal data. From this, it is clear that the right to privacy offers protection against both public and private infringements. 9. The possibility of generalised surveillance by US security agencies of data transferred for storage at Facebook Inc. (USA) by Facebook Ireland, under domestic US legislation like the Foreign Intelligence Services Act (FISA) manifestly comprises a form of processing and, thus, an interference with the data subjects fundamental rights. There is no protection from such interference in the USA.

6 10. Although the questions referred do not formally concern the validity of Decision 2000/520, it has been clear since your early case-law in Case 16/65 Schwarze 1 that, when interpretation of an act is requested in a preliminary reference, the Court is entitled firstly to consider the act s validity. In any event, we submit that the order for reference and the questions referred raise, by necessary implication, the validity of the Decision, and invalid we submit it is. IV. CJEU s Written Questions for Definition of Position 11. Turning rapidly to the Court s written questions, we will seek to define our position with regard to them succinctly. Underlying our position, is the duty of national authorities and the Commission to protect against the violations of the right to privacy. Question 1 12. By the introduction to and the first two parts of its first question, the Court identifies the obligation of the Commission to interpret its power under Article 25 of the Directive in the light of the overriding requirements of the fundamental right to privacy. Compliance 1 [1965] ECR 886.

7 therewith is a precondition for the valid adoption by the Commission of a decision under Article 25. 13. Although Member States national supervisory authorities are of course bound by the laws that apply to them, they, of course, include EU fundamental rights. However, any such national legal provision cannot, whether on its face or by interpretation, have the effect of precluding such an authority from carrying out an independent investigation of a reasoned complaint. 14. It would be the very antithesis of independence, if a supervisory authority were to be absolutely bound by a finding of fact in a Commission decision under Article 25(6). Consequently, our position is that national authorities established pursuant to Chapter VI of the Directive, when called upon by a complaint to investigate the adequacy of protection provided for in a third country, have the duty to investigate the complaint. 15. Regarding, the third part of the first question, any rules governing the limitation of international data transfers must allow national supervisory authorities to protect the fundamental rights of the data subject. Article 3(1)(b) of the Decision does not even allow this basic leeway. Of its cumulative requirements, the first

8 relates to the compliance with the SHPs. It requires that the annexed self-described Safe Harbour Principles ( SHPs ) are being violated. Consequently, it requires that an annexed, foreign text to the Decision, which text is subject, as to both its interpretation and compliance, to US law (see 6 th paragraph of the SHPs in Annex I) be violated, in circumstances where the text itself is also subject to any overriding legal act under US law (see 4 th subparagraph, SHPs). This is a wholly unacceptable benchmark for possible intervention by national supervisory authorities. It plainly prevents them from performing their duty to protect the fundamental rights of Union data subjects whose personal data is transferred to the USA. 16. The Commission and some of the intervening Member States refer to the reference to necessary in the fourth subparagraph of the SHPs to claim that this allows the application of an EU-law type proportionality requirement. Nothing could be further from the truth. As is clear from the fourth paragraph of the SHPs, the reference is either to foreign public interest or to what is necessary to comply with any legal act under US law, such as the FISA. 17. As for the Commission s argument in its written observation relating to the third of the cumulative requirements in Article

9 3(1)(b), i.e. the need to demonstrate an imminent risk of grave harm, we submit that a breach of the essence of a fundamental right, such as the right to privacy and data protection, comprises manifestly harm of the most grave and serious kind. 18. If, however, the Court considers, notwithstanding our submissions, that Article 3(1)(b) may be interpreted in a manner that renders it compatible with the Directive and higher-ranking Union law, we submit that a national authority in the position of the respondent DPC in this case has a duty to investigate the complaint and suspend data flows to the USA, as submitted by Poland, Austria and Slovenia. Question 2 19. Briefly, with regard to the first part of the second question, our position is that an adequacy decision under Article 25(6) of Directive 95/46 must fulfil both the material requirement under Article 25(2), which sets out and defines a requisite adequate level of protection and the additional formal requirement under Article 25(6) for such an adequacy finding ; i.e. that the protection must be provided by a domestic law or by a binding international

10 commitment by the third country concerned as an international legal person. 20. The SHPs, which is all that the Decision concerns, fall plainly short of both requirements. 21. Obviously, those self-styled principles do not comprise a law or an international commitment, cognisable under the Vienna Convention on the law of Treaties They are a mere publication of self-styled principles and so-called frequently asked questions that appear on a webpage of a US government department, the US Department of Commerce. 22. With regard to the material level of protection, we rely fully upon our detailed written observations and upon the in-depth analysis of Professor Boehm at Annex A.1 thereto regarding the adequacy of privacy protection under the SHPs and FAQS. 23. In summary, self-certification under the SHPs by entitles like Facebook Inc., especially if overruled by laws like the FISA, cannot provide adequate protection under Article 25 of the Directive. This

11 is a fortiori the case as the SHPs do not apply to US public authorities. 24. Regarding the second part of the second question of the Court, our position is yes: a genuine adequate level of protection under Article 25 of Directive 95/46 would manifestly require, having regard to the need to ensure that effect is given to Article 47 of the Charter and Article 8(3) thereof, in particular, as regards data protection, as well as Article 13 of the ECHR, the availability of an effective judicial remedy for data subjects in the third country concerned. 25. Regarding penultimately the third part of the second question, although the Decision was adopted before the Charter entered into force, our position is that privacy protection was assured, at the time, by the general principles of EU law arising from the ECHR and constitutional traditions in particular. The main problems with the Decision all existed also at the time of its adoption. In particular, it was uncontested that the formal requirements of Article 25(2) of the Directive were not satisfied by the US legal system. We refer, in particular, to Professor Boehm s analysis in the Annex I to our written observations and to paragraphs 30-33 of those observations.

12 Question 3 26. Finally regarding the third question, our position is that the Commission has stated publicly on multiple occasions that the Decision needs to be corrected. It was illegal then over 15 years ago and it is even more illegal now. Indeed, it was clear from recital 5 to the Decision 2000/520 that there was, even in July 2000, merely an aspiration by the Commission that the SHPs would achieve their stated objective of adequate protection. However, the Kadi case-law makes clear that respect for fundamental rights is a condition for the validity of Union acts. Thus, once it became clear to the Commission that its aspiration was hopelessly optimistic as regards the USA, it should have suspended Decision 2000/520. 27. Finally, invalidating the Decision would merely place those US companies who have self-certified into the normal position in which virtually all other non-eu companies, including may US companies, are. V. Conclusion

13 28. Accordingly, we respectfully request the Court to answer the questions referred as proposed in paragraph 77 of our written observations.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback