On 23 September 2015, Advocate General Bot of the Court of Justice of the EU delivered his Opinion in Schrems v Data Protection Commissioner (Case C‑362/14). The Opinion grabbed headlines, because it concluded that US data protection rules - the so-called Safe Harbour principles, which allegedly permit the wholesale disclosure of EU citizens' data to the National Security Agency - unlawfully breach EU privacy rights, and are invalid. This part of the Opinion has already been discussed at length in the press, so we do not propose to go over it here.
While the invalidity of the Safe Harbour decision grabbed headlines, there is another aspect of the Opinion which could, if adopted, have potentially more far reaching legal effects. The AG expressed the view that Commission Decisions on the adequacy of a third country's data protection law were "not absolutely binding" on national data protection authorities ("DPAs"). Even where the Commission had approved the data protection regime of a non-EU state, national data protection authorities were nevertheless required to investigate complaints about alleged shortcomings in that state's protections. Where, in the view of the national DPA, these protections were inadequate, the national DPA is required to suspend the transfer of data to that state.
The AG reached this conclusion on the basis that the principle of the independence of national DPAs - stated in the Data Protection Directive, and alluded to in Article 8 of the Charter of Fundamental Rights - means that national DPAs' powers to investigate cannot be limited by decisions adopted by the EU Commission in relation to third country transfers. Despite secondary legislation adopted by the Commission, national DPAs retain the power to independently assess compliance with fundamental rights.
If adopted, this part of the Opinion would have a major impact on the uniform application of data protection rules across the EU. One consequence of the Opinion is that the transfer of employee data from EU affiliates to a US parent company under Safe Harbour rules (or, indeed, any revised Safe Harbour agreement) may be permitted by some national DPAs, but prohibited by others. Businesses operating across EU jurisdictions could, therefore, be faced with a multiplicity of investigations and differentiated national regulatory requirements relating to third country transfers. This would be a significant set-back in terms of legal certainty.