A High Court judge in Dublin has asked the Court of Justice of the EU to decide on the validity of EU-US data transfers, in a case that could have implications for trade between the EU and the US, and the privacy of millions of EU residents.
Justice Caroline Costello, ruling on a case originally brought by Austrian lawyer Max Schrems (pictured above) against Facebook Ireland, said there were “well-founded grounds” for believing the European Commission’s (EC) decision to approve data transfer channels known as Standard Contractual Clauses (SCCs) was not valid.
SCCs are widely used by businesses that transfer data to the US, to ensure they comply with European data protection laws. They are meant to give EU citizens the same level of privacy when their data is stored in the US as they would receive in Europe.
The case has implications for EU-US trade that could run into billions of euros, and for the data rights of millions of EU citizens and their safety and security, said Costello.
Facebook Ireland began using Standard Contractual Clauses to transfer data about its users from Europe to the US following the collapse of the EU-US Safe Harbour agreement, in 2015.
Both the social media company and the US government opposed the Irish data protection commissioner Helen Dixon’s application to refer the case to the European court.
But the judge agreed with the commissioner that there were grounds for believing that the EC’s decision to approve SCCs was invalid.
US conducts mass and indiscriminate processing of data
EU law guarantees a high level of protection to European citizens when their data is processed in the EU, and they are entitled to “an equivalent high level of protection” when their personal data is transferred outside the European Economic Area, she said.
The Irish data protection commissioner had raised “well-founded” concerns about the absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights of the EU, which guarantees the right to a fair trial, when an EU citizen’s data is transferred to the US.
The judge said data on European citizens transferred to the US “may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the charter”.
Having analysed evidence concerning US surveillance programmes, she said it was clear that “mass indiscriminate processing” of data was being carried out by US government agencies. There were several “very significant barriers” to individual EU citizens obtaining any remedy for unlawful processing of their personal data by US intelligence agencies.
No remedy for EU citizens in US
Dimissing arguments from Facebook and the US, the judge said the EC’s July 2016 adoption of Privacy Shield, which is designed to ensure there is adequate protection for personal data transferred from the EU to the US, did not prevent her from making a referral to the EU court.
The Ombudsperson mechanism in the Privacy Shield does not give EU citizens judicial protection or eliminate the data commissioner's concerns, the judge said.
An ECJ decision was necessary to determine whether the commissioner’s “exceptional discretionary power” under the 1995 Data Protection Directive to suspend or ban transfer of data to a data importer in a non-EU country is sufficient to secure the validity of the SCC decision.
Presenting her findings in a 152-page judgement issued today (3 October 2017), the judge said it was “extremely important” that there be uniformity in the application of the relevant European Directive throughout the EU “on this very important issue”, and this required that there be “consistency and clarity”.
The decision follows a complaint originally brought by Max Schrems against Facebook Ireland to the Irish data protection commissioner, in 2013, in which he argued that Facebook was in breach of Safe Harbour, following revelations in The Guardian that the US National Security Agency (NSA) had direct access to data on European users of Facebook stored in the US.
Speaking outside the court in Dublin, Schrems said the decision could have significant implications for the way the US and European countries carry out mass surveillance.
“It may allow the Court of Justice to have a really big new judgement on mass surveillance and how far countries can go, which is especially relevant for what European countries do, because it is not just the US, it is a lot of surveillance in the European Union as well,” he said.
Schrems’s objections 'well-founded'
Facebook Ireland, which has its headquarters in Dublin, and Schrems were defendants in the case, although no charges were brought against them. The US government, Business Software Alliance and civil liberties groups were among several parties joined to the case to provide advice to the court.
Max Schrems, Austrian lawyer who made a privacy complaint against Facebook
Schrems opposed a referral to the Court of Justice, arguing the commissioner had enough information to finalise his complaint without it.
He said in a statement today: “It is still unclear to me why the data protection commissioner is taking the extreme position that SCCs should be invalidated across the board, when a targeted solution is available. The only explanation I have is that they want to shift the responsibility back to Luxembourg instead of deciding for themselves.”
Facebook also opposed Dixon’s referral to the EU court. It argued with the US government that US law and other measures gave adequate data privacy rights to EU citizens.
That was disputed by Schrems and civil liberties groups including the Washington-based Electronic Privacy Information Center (EPIC).
Court hears new evidence on US surveillance
The judge reserved judgement on the 21-day case in March, but later agreed to a request from the US government to receive information about “significant” new developments in the matter.
They included a decision of the US Foreign Intelligence Surveillance Court (FISC) on 26 April 2017, which addressed the failure of US agencies to comply with surveillance restrictions imposed by the FISC and restraining collection of certain categories of data.
Another development was a decision by the US Court of Appeals for the Fourth Circuit that Wikimedia had the necessary legal standing to challenge the Upstream surveillance program. Upstream gives the NSA the ability to harvest emails and internet traffic from internet cables in the US and around the world.
Both the Irish data commissioner and Schrems argued the developments had no significance for the issues the court had to decide.
In her judgement, Costello said she considered it “necessary and appropriate” to refer a decision about Standard Contractual Clauses to the European Court of Justice. She said she did not consider she had to refuse to refer as a result of the recent Privacy Shield agreement between the EU and US. She will hear submissions as to the precise wording of the questions to be referred to the ECJ later.
Brian Johnston, London law firm Bristows
Speaking outside the court, Schrems described the Irish data protection commissioner’s view that SCCs could be invalidated across Europe as an extreme position.
“Our position is that the data protection commissioner can, in individual cases, suspend data flows under the so-called Article 4 of the Standard Contractual Clauses, so I think this is maybe where this case is going.”
Lawyer Brian Johnston, associate in the data protection team at law firm Bristows, said today’s judgement could have far-reaching consequences for European organisations that share their data with the US.
“Given that, according to recent surveys, the Standard Contractual Clauses are relied on by 88% of EU companies transferring data outside the EU, the implications are potentially even more significant than the end of Safe Harbour in 2015,” he said.
Max Schrems’s long road to justice
25 June 2013: Austrian lawyer Max Schrems files a complaint against Facebook Ireland with the Irish data protection commissioner (DPC) Helen Dixon, arguing that Facebook Ireland is in breach of data privacy law. By transferring his data to the US, Facebook is making it available to the US National Security Agency (NSA) through the Prism surveillance program.
6 October 2015: Schrems succeeds in the Court of Justice of the European Union (CJEU) in a ruling that overturns the EU-US Safe Harbour Agreement, which permits the sharing of data between the EU and the US.
20 November 2015: Facebook Ireland signs an agreement with Facebook Inc to transfer data on European Facebook customers to the US using Standard Contractual Clauses (SCCs), as an alternative to Privacy Shield.
1 December 2015: Schrems files an updated complaint with the Irish DPC. He requests the DPC to make a ruling prohibiting transfers of data between Facebook Ireland and Facebook Inc in the US, on the grounds that Facebook Inc is illegally making his data available to US intelligence through the Prism collection program.
7 February 2017: The Irish High Court begins hearing a case brought by Irish data protection commissioner, who issued legal proceedings against Facebook Ireland and Max Schrems with a view to referring SCCs to the European Court of Justice.
19 July 2017: In an unusual move, the Irish Court joins the US to the case. The European Privacy Information Centre, a non-government organisation, the Business Software Alliance, and Digital Europe are also joined to the case.
3 October 2017: The Irish High Court issues a ruling to refer SCCs to the European Court of Justice to decide on their validity. It raises questions over the safeguards to protect EU data against collection by the US NSA under its Prism and Upstream programs.
Read more on Regulatory compliance and standard requirements
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Facebook takes legal action against Irish privacy watchdog
Irish privacy watchdog orders Facebook to stop sending user data to the US
Why data exports from the EU will be challenging without Privacy Shield