Transfer of the data of European Facebook subscribers to servers located in the United States

The Opinion OF ADVOCATE GENERAL BOT, delivered on 23 September 2015

The Data Protection Directive provides that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of data protection. The directive also provides that the Commission may find that a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is kept. Mr Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency ‘the NSA’), the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme, the United States ensures an adequate level of protection of the personal data transferred.

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

More particularly, it referred to following questions to the CJEU: 

Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC1 ) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/012 ), the provisions of Article 25(6) of Directive 95/46/EC3 notwithstanding?

Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?
In his opinion, the Advocate General Yves Bot takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data. He considers furthermore that the Commission decision is invalid.
In more particular, he concludes that: 
1) Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
2) Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
Admittedly, it is not sure that the Court will follow the opinion of the Advocate General. Nevertheless, it will certainly influence the future decision of the Court and it may lead to the affirmation that national data protection authorities retain the right to investigate complaints against third countries that allegedly infringe data subject’s rights.
It also becomes clear that, in view of Edward Snowden’s revelations, the Decision 2000/520/EC is unjustified and should be annulled. What is also important is Advocate General’s view that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter of Fundamental Rights. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.

Video surveillance – CJEU decision

The Data Protection Directive (95/46/EEC) applies to a video recording made with a surveillance camera installed by a person on his family home and directed towards the public footpath. Nevertheless, under the Directive, a person has a legitimate interest in protecting the property, health and life of his family and himself.
Under the Data Protection Directive, it is not as a general rule permitted to process personal data unless the data subject has given his consent. However, the directive does not apply to the processing of data carried out by a natural person in the course of a purely personal or household activity.
Mr Ryneš and his family were subjected to a number of attacks by unknown persons, and on several occasions the windows of their house were broken. In response to those attacks, Mr Ryneš installed a surveillance camera on the family home, which filmed the entrance, public footpath and the entrance to the house opposite.

During the night of 6 to 7 October 2007, a window of the family home was broken by a shot from a catapult. The recordings made by the surveillance camera were handed over to the police and made it possible to identify two suspects, who were subsequently prosecuted before the criminal courts.
However, one of the suspects disputed before the Czech Office for the Protection of Personal Data the legality of the processing of the data recorded by Mr Ryneš’ surveillance camera. The Office found that Mr Ryneš had in fact infringed the personal data protection rules and fined him. In that connection, one of the points made by the Office was that the data on the suspect had been recorded without his consent while he was on the public footpath in front of M. Ryneš’ house.

The Nejvyšší správní soud (Supreme Administrative Court, Czech Republic), hearing the appeal in the dispute between Mr Ryneš and the Office, asks the Court of Justice whether the recording made by Mr Ryneš for the purposes of protecting the life, health and property of his family and himself (that is to say, the recording of personal data relating to the individuals launching an attack on his house from the public footpath) constitutes a category of data processing that is not covered by the directive, on the grounds that that recording was made by a natural person in the course of purely personal or household activities.

In this judgment, the Court states first of all that the term ‘personal data’ as used in the Directive encompasses any information relating to an identified or identifiable natural person. An identifiable person is anyone who can be identified, directly or indirectly, by reference to one or more factors specific to his physical identity. Consequently, the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned.
Similarly, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.

Secondly, the Court finds that the exception provided for in the directive in the case of data processing carried out by a natural person in the course of purely personal or household activities must be narrowly construed. Accordingly, video surveillance which covers a public space and which is accordingly directed outwards from the private setting of the person processing the data cannot be regarded as an activity which is a ‘purely personal or household activity’.

In applying the Directive, the national court must, at the same time, bear in mind the fact that that directive makes it possible to take into account the legitimate interest of the person who has engaged in the processing of personal data (‘the controller’) in protecting the property, health and life of his family and himself.

Specifically, firstly, one of the situations in which personal data processing is permissible without the consent of the data subject is where it is necessary for the purposes of the legitimate interests pursued by the controller. Secondly, the data subject need not be told of the processing of his data where the provision of such information proves impossible or would involve a disproportionate effort. Thirdly, Member States may restrict the scope of the obligations and rights provided for under the Directive if such a restriction is necessary to safeguard the prevention, investigation, detection and prosecution of criminal offences, or the protection of the rights and freedoms of others.

EU Study: Towards a New EU Legal Framework for Data Protection and Privacy

The EU Directorare General for Internal Policies recently published a Study on a New EU Legal Framework for Data Protection and Privacy, which was requested by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs.

This study addresses the new challenges stemming from data processing policies and systems falling in the scope of police and judicial cooperation in criminal matters in the EU Area of Freedom, Security and Justice. It identifies a set of common basic principles and standards for the genuine assurance of data protection in all the phases of EU policymaking and for the effective implementation of this fundamental right.
The study puts forward a set of recommendations to guide the European Parliament’s role and legislative inputs into the upcoming revision of the EU legal framework on data protection, which is expected to be launched by the end of 2011.

The authors of the study are:
Prof. Didier Bigo (Centre d’Etudes sur les Conflits, C&C)
Dr Sergio Carrera (Centre for European Policy Studies, CEPS)
Ms Gloria González Fuster (Vrije Universiteit Brussel, VUB)
Prof Elspeth Guild (CEPS and Radboud University of Nijmegen)
Prof. Paul de Hert (Vrije Universiteit Brussel, VUB)
Dr Julian Jeandesboz (Centre d’Etudes sur les Conflits, C&C)
Dr Vagelis Papakonstantinou (Vrije Universiteit Brussel, VUB)

Privacy issues in e-justice


Ioannis Iglezakis,

Privacy issues in e-justice
Presentation in the Conference ICT4Justice (THESSALONIKI, GREECE – OCTOBER 24th, 2008).

Privacy in the information society is more than the right to be left alone. The concept of privacy in its traditional form includes the right of the individual to shield its most intimate activities, thoughts and beliefs from other people. However, as modern people are not living in a state of isolation, but of interaction, it is clear that nobody can live alone, isolated from others. Therefore, it becomes evident that modern privacy (should) encompasse not just the right to be let alone, but rather the right to control how information about the individual is collected, used and being processed.

Particularly, in view of the risks which are inherent in new technologies, privacy can be conceptualized as the individual’s right to protection of personal information concerning the use of ICT. Privacy issues are emerging in various cases, in which information and communication technologies are employed. ICTs are also introduced in the justice sector with a view to provide for more efficiency, accountability and enhanced cross-border cooperation. Although e-Justice will play a big role in the modernization of the system of justice in the near future, its development should also take into account the need to provide protection of privacy.

In particular, e-justice aims at allowing greater information sharing between government departments and between judicial and police authorities in different countries. This increase in the flow of personal information may, however, infringe privacy for the reason that it could contravene with the purpose limitation principle.

In more general, the more personal data are being processed by public authorities, the more increases the surveillance potential, and this increase invokes fears of a “big brother’ State.

Furthermore, data exchanged in the framework of police and judicial cooperation in criminal matters may not find adequate protection, if there are no rules establishing clear protection of fundamental rights of individuals. It is, thus, necessary to lay down the requirements for transmission and making available to personal data to authorities in other states, as well as the further processing of such data.

In the EU, a high standard of protection is afforded and in order to maintain it, it needs to be determined that data could be transferred only when third countries provide an adequate level of protection.

The main regulatory instrument in the EU and the Member States is Directive 95/46/EEC, which introduces a high level of data protection and has contributed to harmonization of data protection legislation in the European Union. The Directive does not apply, however, to the processing of personal data in the course of an activity which falls outside the scope of Community law, such as those provided for by V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law.

On international level, there is no exemption concerning criminal law and the justice sector in the Council of Europe’s Convention for the Protection of Individuals with regard to automatic processing of personal data of 1981. This Convention is considered as a cornerstone in data protection, as it influenced the European States and formed the basis for the provisions of the EU Directive.

In Greece, protection of personal data is enshrined in Article 9A of the amended Constitution and in Law 2472/1997, which includes rules for the lawful processing of personal data, grants rights to data subjects and establishes a control system in which the central role is granted to the Authority for the Protection of Personal Data (herein forth “Authority”). In addition, it provides for administrative and criminal sanctions, and remedies in case of non-compliance with its provisions. With the enactment of the Data Protection Act the legislator defines the essential regulatory framework regarding data procession and regulates, in effect, the flow of personal data within the society and between individuals.

The Greek law regulates in Article 5 the conditions under which processing of personal data is permitted. Data processing is lawful only if it is grounded on one of the particular instances referred to in this Article. In the framework of e-justice, the provision of para. 2 lit. d is relevant, which provides that processing is necessary for the performance of a task carried out in the public interest or a project carried out in the exercise of public function by a public authority. This requirement is fulfilled where collection and electronic storage of data is carried out for the purpose of creating an electronic case file and further, where personal data are transferred to law enforcement authorities in the framework of police and judicial cooperation and on the basis of binding legal rules (e.g. Convention implementing the Schengen Agreement of 1990, Europol Convention 1995, Decision for Eurojust of 2002, etc.).

Specific rules apply for personal data of a more sensitive nature, such as those referring to criminal charges or convictions. Particularly in case of data processing in e-justice, the provision of Art. 7 (2) e is relevant, providing that processing is carried out by a Public Authority and is necessary, inter alia, for the purposes of criminal or correctional policy and pertains to the detection of offences, criminal convictions or security measures.

Additional safeguards are the provisions providing for confidentiality and security of processing and those concerning rights of the data subjects, i.e. the right to information, the right to access of data, the right to object to data processing and the right to provisional judicial protection.

Recently, with Law 3625/2007, the data protection act was amended and an exemption from the field of application was included, providing that the Law does not apply to data processing carried out by judges and public prosecutors in the administration of justice or for the need of crime investigation and concerning felonies or offences committed on intent, particularly those against life, sexual freedom and exploitation of sexuality, drugs etc. In these cases, the law states that the provisions of common legislation apply and this means that the public prosecutors and other judicial authorities are not bound by the data protection, but only by criminal law provisions, such as the Penal Code and Penal Procedure Code. Particularly the latter contains provisions providing for protection of fundamentals rights of the accused persons; however, there are no concrete provisions for data protection in this act or in other relevant legislation. This deficit is particularly apparent in the case of judicial cooperation, where there are no legislative safeguards for the individuals.

In order to address the issues concerning particularly the processing of personal data in the framework of police and judicial co-operation in criminal matters, the EU Commission submitted 2005 a Proposal for a Council Framework Decision. The proposal once accepted will fill the existing gap in this particular sector.

In particular, the Framework Decision determines common standards to ensure the protection of individuals with regard to the processing of personal data in the framework of police and judicial co-operation in criminal matters, provided for by Title VI of the Treaty on European Union. As a result, no restrictions of data flow should be imposed, according to Article 2 (2), which states that Member States shall ensure that the disclosure of personal data to the competent authorities of other Member States is neither restricted nor prohibited for reasons connected with data protection.