The right of Facebook and other companies to share the personal data of European citizens with the US faces fresh uncertainty as the Irish High Court seeks a determination over the legality of EU-US data sharing mechanisms from Europe’s highest court.
The Irish High Court yesterday proposed 11 questions for determination by the European Court of Justice (CJEU) in a case that will test whether companies can legally transfer personal data to the US, in the light of disclosures by Edward Snowden that the US is engaged in large-scale surveillance of EU citizens.
The questions, released at a court hearing in Dublin, are the latest salvo in a five-year legal battle between Austrian lawyer Max Schrems and Facebook. Schrems has accused Facebook of sharing his personal data, and that of other Facebook users, with the US National Security Agency, in breach of European law.
Justice Caroline Costello found in a judgment last October that the US is engaged in “mass indiscriminate processing” of data through the NSA’s surveillance programmes, codenamed Prism and Upstream, which are authorised under the US Foreign Intelligence Surveillance Act.
“In the long run, the only reasonable solution is to cut back on mass surveillance laws,” said Schrems in a statement after the hearing. “If there is no such political solution between the EU and the US, Facebook would have to split global and US services into two systems and keep European data out of reach for US authorities, or face billions in penalties under the upcoming EU General Data Protection Regulation.”
The Dublin court’s questions go to the heart of standard contractual clauses (SCCs), which are widely used by companies to share personal data between Europe, the US and other countries. Dublin intends to seek a determination from the European Court of Justice as to whether SCCs are in breach of Articles 7 and 8 of the European Charter, which protect personal privacy and the privacy of European citizens’ data.
Gerard Rudden, solicitor for Schrems, said the question was hugely significant. “If the CJEU rules against SCCs, then the provisions will fail. They will be invalidated and therefore companies would not be entitled to rely on them to transfer data from outside the EU,” he told Computer Weekly.
Rights of redress
The Dublin court will also ask the CJEU to determine whether the US has provided adequate rights of redress under Article 47 of the European Charter of Fundamental Rights, for European citizens who believe their privacy rights have been breached in the US.
Facebook has argued in the case that the Treaty of Europe gives member states exemption from EU law over matters of national security, and that, as a consequence, processing of EU data by the US agencies should also be exempt from European law.
The court will seek a determination whether EU exemptions for national security apply, irrespective of whether the processing takes place in the EU, the US or a third country.
The court has also asked the CJEU to rule whether the EU Charter and the EU law, or the national state or national laws of EU states apply when deciding whether the data privacy rights of EU citizens are breached.
Another question asks whether the EU-US Privacy Shield agreement – the replacement for Safe Harbour, which was struck down by the European court – applies to all data transfers to the US, including SCCs.
The questions were put together after the Costello heard submissions from parties in the case following a judgment last October.
The current hearings were initiated when Ireland's Data Protection Commissioner, Helen Dixon, brought legal proceedings against Facebook and Schrems. The US government, the Washington-based Electronic Privacy Information Centre, the Business Software Alliance and Digitial Europe were joined to the case.
Costello agreed to make the referral to Europe after agreeing with the Irish data protection commissioner that there were good reasons for believing that SCCs are invalid.
She said the commissioner had raised “well-founded” concerns about the absence of an effective remedy in US law where EU data transferred to the US “may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the charter.”
In a statement after the hearing, Schrems said the Irish data protection commissioner could have dealt with the case herself, but he was hopeful that the referral to the CJEU would bring a final resolution.
“Given case law, the question in this case does not seem to be if Facebook can win it, but to what extent the European Court of Justice will prohibit Facebook’s EU-US data transfers,” he said.
During the hearing, Paul Gallagher SC, for Facebook, asked for time to consider seeking appeal against the judge’s decision to make a referral to the CJEU.
Michael Collins SC, representing the Irish data protection commissioner, said he did not object to Facebook being given time to consider its approach, but queried whether it was legally entitled to appeal against the High Court’s referral to the CJEU.
Costello told the court she had given a judgment in October ordering the reference to Europe, but would allow Facebook until 30 April to consider its position.
Read more on Privacy and data protection
Irish privacy watchdog orders Facebook to stop sending user data to the US
Why data exports from the EU will be challenging without Privacy Shield
Schrems steps up pressure on Irish data protection commissioner on Facebook’s data sharing with US
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement