Presentation is loading. Please wait.

Presentation is loading. Please wait.

DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC.

Published byDenis Wiggins Modified over 8 years ago

Similar presentations

Presentation on theme: "DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC."— Presentation transcript:

1 DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC

2 Background to Schrems v DPC Increasing prominence of data protection law in Europe. Lengthy and fractious negotiation of General Data Protection Regulation. Articles 7 and 8 of the Charter on Fundamental Rights. Robust judgments of the Court of Justice of the European Union – Google Spain, Digital Rights Ireland. Snowden revelations – Project PRISM.

3 Safe Harbor and Schrems v DPC I. Overview of Safe Harbor II. The High Court’s Decision in Schrems v DPC III. The Decision of the Court of Justice of the European Union IV. Practical Effects: Implications for International Data Transfer V. Beyond Safe Harbor

4 I. Overview of Safe Harbor Commission Decision 2000/520, 26 July 2000, under Article 25(6), Data Protection Directive. European Commission and US Department of Commerce. Transfer of data from EU to US. Safe Harbor privacy principles – corresponded to principles under Data Protection Directive. Set of FAQs. Self-certification system.

5 The Safe Harbor Privacy Principles Notice - Inform individuals as to purpose etc. Choice – Allow opt out. Onward Transfer – Disclosure to 3 rd parties. Security – Duty to protect against loss, misuse, etc. Data Integrity – Processing must be relevant to purpose of collection/authorisation. Access – Individual right to access personal data. Enforcement – Effective mechanisms.

6 II. The High Court’s Decision in Schrems v DPC [2014] IEHC 310 Facts: Privacy campaigner Maximillian Schrems. Facebook Ireland is data controller for European users of Facebook service. Mr Schrems’ 23 complaints to Irish Data Protection Commissioner. Complaint 23: that his data was not secure under Safe Harbor in light of Snowden allegations. DPC rejects complaint as ‘frivolous and vexatious’ on basis he is bound by Safe Harbor. Mr Schrems initiates judicial review proceedings.

7 II. The High Court’s Decision in Schrems v DPC Holding: High Court, Hogan J. Makes preliminary reference of questions to Court of Justice of European Union. Findings of fact:  “I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data. Indeed, in the wake of the Snowden revelations, the available evidence presently admits of no other realistic conclusion.” [para. 13]

8 II. The High Court’s Decision in Schrems v DPC Locus Standi: Mr Schrems entitled to invoke provisions of Irish Constitution, though not resident in Ireland. Findings on constitutionality of mass State surveillance. Right to privacy and right to inviolability of dwelling. Links to German basic law.  “One might accordingly ask how the dwelling could in truth be a "place of repose from the cares of the world" if, for example, the occupants of the dwelling could not send an email or write a letter or even conduct a telephone conversation if they could not be assured that they would not be subjected to the prospect of general or casual State surveillance of such communications on a mass and undifferentiated basis.” [para. 54]

9 II. The High Court’s Decision in Schrems v DPC Reference for preliminary ruling by CJEU. (1) Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding? (2) Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?

10 III. Decision of the Court of Justice of the European Union Case C-362/14 Schrems v Data Protection Commissioner EU:C:2015:650 Struck down two provisions of Safe Harbor decision. Invalidity of Safe Harbor programme necessarily followed. Article 1 Safe Harbor not compliant with Article 25(6) Data Protection Directive. No finding as to adequacy of data protection in US law. Need for “essential equivalence.” Safe Harbor principles subordinate to general law and national security measures.

11 III. Decision of the Court of Justice of the European Union Absence of real enforcement mechanisms for individuals. Compliance with Articles 7 and 8 of Charter of Fundamental Rights of the European Union. Requirement that derogations from general rules re personal data be strictly construed. Mass surveillance not compliant with Charter:  “In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.” [para. 94]

12 III. Decision of the Court of Justice of the European Union General comments on role of national supervisory authorities. Individuals entitled to bring complaints to national authorities re security of their data, even where Commission decision in place. Individual and national authorities must both have recourse to judicial remedies with view to making preliminary reference.

13 III. Decision of the Court of Justice of the European Union Article 3 Safe Harbor declared invalid. Purported to deny national supervisory authorities powers granted by Article 28 of Data Protection Directive. Article 25(6) does not grant Commission entitlement to abridge those powers. Backdrop of tension as to role of national supervisory authorities.

14 IV. Practical Effects: Implications for International Data Transfer Invalidity of Safe Harbor not surprising. Many organisations had contingency plans in place. Reliance on other provisions of Directive for international data transfer:  Standard contractual clauses  Binding corporate rules  Derogations:  Performance of contract  Establishment, exercise or defence of legal claims  Consent of the individual

15 V. Beyond Safe Harbor Privacy Shield – agreement in principle. Schrems sets parameters for agreement:  Need for general finding as to adequacy of legal protection.  Strict scrutiny of derogations from data protection rules.  Incompatibility of mass surveillance with Charter.  Significance of independence of national supervisory authorities.

16 Questions and Comments Welcome Andrea Mulligan BL  andrea.mulligan@lawlibrary.ie andrea.mulligan@lawlibrary.ie  086 3857328  Law Library, Four Courts, Dublin 7.

Download ppt "DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC."

Similar presentations

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.

Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Slide 1/15 © copyright Standard training programme in judicial cooperation in criminal matters within the European Union Version: 3.0 Last updated: 31.10.2012.

Slide 1/15 © copyright Standard training programme in judicial cooperation in criminal matters within the European Union Version: 3.0 Last updated:
Den Europæiske Ombudsmand Der Europäische Bürgerbeauftragte Ο Ευρωπαίος Διαμεσολαβητής The European Ombudsman Il Mediatore Europeo Le Médiateur Européen.

Den Europæiske Ombudsmand Der Europäische Bürgerbeauftragte Ο Ευρωπαίος Διαμεσολαβητής The European Ombudsman Il Mediatore Europeo Le Médiateur Européen.
International Treaty in EU PIL

International Treaty in EU PIL
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
The National Academy of Sciences of Ukraine Kyiv University of Law Anna Vasilchenko Department of International Law Group IL-41.

The National Academy of Sciences of Ukraine Kyiv University of Law Anna Vasilchenko Department of International Law Group IL-41.
A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.

A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.
Per Anders Eriksson

Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Overview

Data Protection Overview
Tina Kraigher and Milena Podjed-Fabjančič 18 April 2010 Processing of Telephone Traffic Data of Employees ( a Case Study )

Tina Kraigher and Milena Podjed-Fabjančič 18 April 2010 Processing of Telephone Traffic Data of Employees ( a Case Study )
The Law of the European Union Information and Communication.

The Law of the European Union Information and Communication.
Introduction to EU Law Cont.d. ECJ – TFI (Arts. 220-245) “The Court of Justice and the Court of First Instance, each within its jurisdiction, shall ensure.

Introduction to EU Law Cont.d. ECJ – TFI (Arts ) “The Court of Justice and the Court of First Instance, each within its jurisdiction, shall ensure.

Similar presentations

Ads by Google