The Irish Supreme Court has dismissed Facebook’s appeal against a decision by the Irish High Court to refer 11 questions over the validity of data transfers between the European Union (EU) and the US to the European Court of Justice (CJEU) for answers.
The case is part of a long-running legal battle brought by Austrian lawyer Max Schrems, who argues that Facebook’s involvement with the US National Security Agency’s (NSA) Prism surveillance programme puts the private data of European citizens at risk.
It is likely to have major implications for the validity of standard contractual clauses (SCCs), which are widely used by companies to transfer personal data between Europe and the US, to ensure that they comply with EU data protection law.
The court ruled today (31 May 2019) that it could not consider Facebook’s appeal against the High Court’s decision to make a referral to the European Court of Justice.
Chief Justice Frank Clarke said the court could not entertain an appeal against the High Court decision to make a reference or against the terms of reference.
He said it was for the referring court, and that court alone, to decide whether to make a reference and whether to amend or withdraw that.
The European Court of Justice is due to address the questions at a hearing on 9 July 2019.
In a statement after the verdict, Schrems accused Facebook of investing millions in an attempt to stop his legal case progressing.
“It is good to see that the Supreme Court has not followed Facebook’s arguments that were in total denial of all existing findings so far,” he said. “We are now looking forward to the hearing at the Court of Justice in Luxembourg.”
Today’s judgment follows a three-day hearing in January, where Facebook challenged an earlier finding of fact in a ruling by Dublin’s High Court that the US was engaged in “mass and indiscriminate surveillance” of European citizens.
Paul Gallagher, SC, argued that the High Court’s findings could lead to Privacy Shield and SCCs being invalidated, with “very serious consequences” for Facebook and other businesses.
He told the five Supreme Court judges that judge Caroline Costello had failed to take into account evidence from Facebook’s expert witnesses that the NSA does not engage in mass surveillance.
The Irish data protection commissioner (DPC), Helen Dixon, opposed Facebook’s arguments for an appeal against the referral.
Michael Collins, SC, representing Dixon, told the five judges that Facebook was attempting to head off a potentially adverse finding by the CJEU that data transfers between the EU and the US did not comply with EU law.
“The whole reason for Facebook being here is that the whole judgment will be referred to the European court, and they don’t want the court to make a binding decision,” he said.
Costello’s High Court judgment – issued in October 2017 and revised in April 2018 – referred to US safeguards and oversights of the intelligence services gathering electronic data, the court heard.
These included PDP 28, a presidential directive issued by US president Obama on surveillance and US oversight bodies including the Privacy and Civil Liberties Oversight Board (PCLOB), as well as the Senate Intelligence and Judiciary Committees.
“It is difficult to understand how she [Costello] can be said not to have taken into account the safeguards there,” said Collins.
Read more about Facebook and Max Schrems
- Facebook’s challenge to a High Court ruling that raises serious concerns about data transfers between Europe and the US is more about appearance than facts, lawyers for the Irish Data Protection Commission told Dublin’s Supreme Court.
- Social media giant challenges a ruling by Dublin’s High Court over a judgment that it says made “extraordinary and incorrect” findings about the US legal system.
Costello referred 11 issues for determination by the CJEU in May 2018, following an October 2017 High Court judgment. Facebook argued at the Supreme Court in January that it was entitled to appeal the referral. It also disputed several of the High Court’s findings, including that the DPC had “well-founded” concerns about “mass indiscriminate processing” of data by US government agencies.
The US government presented legal arguments to the court after being joined to the case as an amicus curiae to assist the court.
It supported Facebook’s argument that the Privacy Shield agreement between the EU and US meant there was no requirement to make a referral to the European court. US government lawyers argued that the European Commission had determined that the US ensures an adequate level of protection for personal data transferred under Privacy Shield.
Lawyers for the DPC said Dixon had concerns whether the measures provided for under Privacy Shield were comparable to the remedy available to EU citizens for breach of data privacy rights under Article 47 of the EU Charter.
The case, which has been running for more than six years, has yet to be resolved. Schrems first filed a complaint against Facebook to the Irish DPC in 2013.
The European Court of Justice ruled in 2015 in favour of Schrems, finding that the Safe Harbour agreement that allowed EU-US data transfers was invalid, and ordered the Irish DPC to investigate the case.
Dixon took legal action against Facebook and Schrems in 2016 in a manoeuvre to send further questions to the European Court of Justice.
The Irish High Court ruled that the US government had engaged in “mass processing” of Europeans’ personal data.
According to Schrems, Facebook made an unprecedented application to prevent the court referring the questions to Luxembourg by asking the Irish Supreme Court to “advise” the High Court on the matter.
Both parties did not dispute that the Supreme Court had no jurisdiction to overturn the High Court’s referral to Europe, he said.
Read more on Privacy and data protection
Irish High Court dismisses legal bid by Facebook over EU-US data transfers
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Facebook takes legal action against Irish privacy watchdog
Irish privacy watchdog orders Facebook to stop sending user data to the US