Third country law in the CJEU’s data protection judgments
By Christopher Kuner
Much discussion of foreign law in the work of the Court of Justice of the European Union (CJEU) has focused on how it deals with the rules, principles, and traditions of the EU member states. However, in its data protection judgments a different type of situation involving foreign law is increasingly arising, namely cases where the Court needs to evaluate the law of third countries in order to answer questions of EU law.
This is illustrated by its judgment in Schrems (Case C-362/14; previously discussed on this blog, as well as here), and by Opinion 1/15 (also discussed on this blog, part I and part II), a case currently before the CJEU in which the judgment is scheduled to be issued on 26 July. While these two cases deal with data protection law, the questions they raise are also relevant for other areas of EU law where issues of third country law may arise. The way the Court deals with third country law in the context of its data protection judgments illustrates how interpretation of EU law sometimes involves the evaluation of foreign legal systems, despite the Court’s reluctance to admit this.
The Schrems judgment
The Schrems case involved the validity of the EU-US Safe Harbour arrangement, a self-regulatory mechanism that US-based companies could join to protect personal data transferred from the EU to the US. Article 25(1) of the EU Data Protection Directive 95/46/EC allows transfers of personal data from the EU to third countries only when they provide an ‘adequate level of data protection’ as determined by a formal decision of the European Commission. On 26 July 2000 the Commission issued such a decision finding that the Safe Harbour provided adequate protection.
The plaintiff Schrems brought suit in Ireland based on the data transfer practices of Facebook, which was a Safe Harbour member. Schrems claimed that the Safe Harbour did not in fact provide adequate protection, and that the Irish Data Protection Commissioner (DPC) should reach this conclusion notwithstanding the Commission adequacy decision.
On 18 June 2014 the Irish High Court referred two questions to the CJEU dealing with the issue of whether the DPC could examine the validity of the Safe Harbour. In its judgment of 6 October 2015, the CJEU invalidated the Commission’s decision and held that providing an adequate level of data protection under EU law requires that third country law and standards must be ‘essentially equivalent’ to those under EU data protection law (para. 73). A more detailed, general analysis of Schrems can be found in my article in the current issue of the German Law Journal.
Third country law under Schrems and Opinion 1/15
As far as third country law is concerned, the Schrems judgment requires an individual to be allowed to bring a claim to a data protection authority (DPA) that a Commission adequacy decision is invalid, after which he or she must be able to contest in national court the DPA’s rejection of such a claim, and the national court must make a preliminary reference to the CJEU if it finds the claim to be well-founded (para. 64). Thus, the Court practically invites individuals to bring claims to DPAs regarding the adequacy of protection in third countries, and requires national courts to refer them to the CJEU for a preliminary ruling.
Under the judgment, the standard for determining the validity of a Commission decision is whether third country law is ‘essentially equivalent’ to EU law, which by definition must involve an examination of the third country law with which EU law is compared.
The Court has stated that it does not pass judgment on the law of third countries. In the interview he gave to the Wall Street Journal in which he discussed the Schrems judgment, CJEU President Lenaerts said that ‘We are not judging the U.S. system here, we are judging the requirements of EU law in terms of the conditions to transfer data to third countries, whatever they be’. Advocate General Mengozzi also reiterated this point in para. 163 of his Opinion in Opinion 1/15.
However, it is surely disingenuous to claim that the Schrems case did not involve evaluation of US legal standards. First of all, the need to review third country law is logically inherent in the evaluation of a Commission decision finding that such law provides protection essentially equivalent to that under EU law. Secondly, the CJEU in Schrems did indeed consider US law and intelligence gathering practices and their effect on fundamental rights under EU law, as can be seen, for example, in its mention of studies by the Commission finding that US authorities were able to access data in ways that did not meet EU legal standards, in particular the requirements of purpose limitation, necessity, and proportionality (para. 90). Indeed, whether US law adequately protects against mass surveillance by the intelligence agencies was a major issue in the case, as the oral hearing before the Court indicates.
Opinions of Advocates General in data protection cases also illustrate that the CJEU sometimes examines third country law when answering questions of EU law. For example, the opinion of Advocate General Bot in Schrems contains an evaluation of the scope of the supervisory powers of the US Federal Trade Commission (paras 207-208). And in Opinion 1/15, Advocate General Mengozzi indicated that provisions of Canadian law had been brought before the CJEU (para. 320), and that some of the parties’ contentions required interpretation of issues of Canadian law (para. 156). As a reminder, Opinion 1/15 is based on a request for an opinion by the European Parliament under Article 218(11) TFEU concerning the validity of a draft agreement between the EU and Canada for the transfer of airline passenger name records, which shows the variety of situations in which questions of third country law may come before the CJEU.
It is inevitable that the CJEU will increasingly be faced with data protection cases that require an evaluation of third country law. For example, the Commission indicated in a Communication of January 2017 that it will consider issuing additional adequacy decisions covering countries in East and South-East Asia, India, Latin America, and the European region. In light of the Schrems judgment, challenges to adequacy decisions brought before a DPA or a national court will often result in references for a preliminary ruling to the CJEU. Furthermore, the interconnectedness of legal orders caused by globalization and the Internet may also give rise to cases in other areas of law where evaluation of third country law is necessary to answer a question of EU law.
Since in references for a preliminary ruling the determinations of national courts will generally be accepted by the CJEU, and a request to intervene in a preliminary ruling procedure to submit observations on third country law is not possible, there is a risk that a judgment in such a case could be based on an insufficient evaluation of third country law, such as when the evidence concerning such law is uncontested and is presented only by a single party. In fact, the evidence concerning US law in the Schrems judgment of the Irish High Court that resulted in the reference for a preliminary ruling to the CJEU was in effect uncontested. By contrast, in the so-called ‘Schrems II’ case now underway in Ireland, the Irish courts have allowed oral and written submissions on US law and practice by a number of experts.
Scholarship and practice in private international law can provide valuable lessons for the CJEU when it needs to evaluate third country law. For example, situations where evidence concerning foreign law is presented by a single party and is uncontested have been criticized in private international law scholarship as a ‘false application of foreign law’, because such evidence can prove unreliable and result in unequal treatment between foreign law and the law of the forum (see the excellent 2003 lectures of Prof. Jänterä-Jareborg in volume 304 of the Collected Courses of the Hague Academy of International Law regarding this point).
If the CJEU is going to deal increasingly with third country law, then it should at least have sufficient information to evaluate it accurately. It seems that the CJEU would view third country law as an issue of fact to be proved (see in this regard the article by Judge Rodin in the current issue of the American Journal of Comparative Law), which would seem to rule out the possibility for it to order ‘measures of inquiry’ (such as the commissioning of an expert’s report concerning third country law) under Article 64(2) of its Rules of Procedure in a reference for preliminary ruling for the interpretation of Union law. However, the Court may order such measures in the scope of a preliminary ruling on the validity of a Union act, which would seem to cover the references for a preliminary ruling mandated in Schrems (see para. 64 of the judgment, where the CJEU mandates national courts to make a reference to the Court ‘for a preliminary ruling on validity’ (emphasis added)). Thus, the CJEU may have more tools to investigate issues of third country law than it is currently using.
It would also be helpful if the Commission were more transparent about the evaluations of third country law that it conducts when preparing adequacy decisions, which typically include legal studies by outside academics. These are usually not made public, although they would provide useful explanation as to why the Commission found the third country’s law to be essentially equivalent to EU law.
In conclusion, the CJEU should accept and be more open about the role that third country law is increasingly playing in its data protection judgments, and will likely play in other areas as well. Dealing more openly with the role of third country law and taking steps to ensure that it is accurately evaluated would also help enhance the legitimacy of the CJEU’s judgments. Its upcoming judgment in Opinion 1/15 may provide further clarification of how the CJEU deals with third country law in its work.
This blog misunderstands the ECJU judgement of 6/10/2015 Schrems v Ireland. The ECJU judgement was based on findings of fact made by the Irish High Court on 18/6/2014. (Hogan J Scherms v Data Commisisoner) There were two core findings by Judge Hogan. He found that the USG was engaged in “mass and indiscriminate surveillance” in the Union, using a programme called PRISM. (Par 13 of the findings) In addition Judge Hogan rejected the US Court responsible for PRISM, at par 15. This is the FISA Court. In the UK Sir Anthony May QC warned the UK Parliament and Prime Minister on 8/4/2014, just ahead of Judge Hogan’s findings, that PRISM like activities were criminal in the UK and unlawful throught the Union. The ECJU ruled, indirectly on the issue of EU citizens protections in the US. But it struck down Safe Harbour because of PRISM.
Kevin Cahill FBCS.CITP, FRHistS. Advisor to members of the UK Parliament