High Court refers Facebook privacy case to Europe

The High Court has referred questions raised by a case taken by an Austrian privacy activist over the alleged mass transfer of personal data to US intelligence services to the European Court of Justice.

Privacy campaigner Max Schrems had argued that the Data Protection Commissioner, Billy Hawkes, wrongly refused to investigate whistleblower Edward Snowden's claims that Dublin-based Facebook International had passed on its EU users' data to the US National Security Agency as part of its Prism surveillance programme.

While the judge did not find in Mr Schrems’s favour today, he adjourned the case pending a reference to the European court.

Lawyers for Mr Schrems had told the court the Data Protection Commissioner was not entitled to “turn a blind eye” to the allegations by the former NSA contractor.

Mr Schrems, who is behind a data privacy campaign ‘Europe v Facebook’, claimed Mr Hawkes wrongly interpreted and applied the law governing the transfer of personal data from Europe to the US when he rejected Mr Schrems’ complaint.

However counsel for Mr Hawkes, Paul Anthony McDermott BL, said the controversy was a result of Snowden allegations and was therefore a matter for the political level.

The transfer of data from firms in the EU to the US is subject to the transatlantic Safe Harbour arrangement dating back to 2000. The European Commission has previously expressed concern that Prism exposed a loophole in the Safe Harbour agreement. Mr Hawkes must await the outcome of "political negotiations" in Europe on the Safe Harbour law, Mr McDermott said.

Mr Schrems said he was not challenging the validity of Safe Harbour, rather the operation of it, and that the transfer of data to the NSA was not in accordance with any exceptions under the agreement. Safe Harbour rules are subject to rights contained in EU directives, under the European Convention on Human Rights and under national law, he said.

In court this morning, Mr Justice Gerard Hogan said the evidence suggested that personal data was “routinely accessed on a mass and undifferentiated basis by the US security authorities”.

The judge said that Irish law had effectively been “pre-empted” by EU law, specifically the provisions of a 1995 directive and the 2000 decision establishing the Safe Harbour regime.

With the July 2000 decision the European Commission found that US data protection law and practice was sufficient to safeguard the rights of European data subjects and it was clear from Article 25(6) of the 1995 directive that national data protection authorities must comply with findings of this nature.

He said it followed that if the data protection commissioner cannot look beyond the Safe Harbour decision, “then it is clear that the present application for judicial review must fail.”

Mr Justice Hogan said the commissioner had demonstrated "scrupulous steadfastness" to the letter of the 1995 directive and the 2000 decision.

“The applicant’s objection is, in reality, to the terms of the Safe Harbour regime itself rather than to the manner in which the commissioner has actually applied the Safe Harbour regime, although neither the validity of the 1995 directive nor the validity of the commission’s Safe Harbour decision have, as such, been challenged in these proceedings,” the judge said.

In these circumstances, Mr Justice Hogan concluded, the “critical issue” which arose was whether the proper interpretation of the 1995 directive and the 2000 commission decision should be “re-evaluated” in light of the subsequent entry into force of Article 8 of the Charter and whether, as a consequence, the commissioner can look beyond of otherwise disregard this community finding.”

Mr Hawkes has dismissed the six-page complaint by Mr Schrems as “frivolous or vexatious”. Mr Schrems’s barrister, Paul O’Shea, said there was “no lawful basis” for the finding . “Members of the public may think this is insulting,” Mr McDermott said. “But in a legal sense it means there is not any realistic prospect of succeeding,” he said.

The reason the Commissioner found the complaint was vexatious was because it was not possible for him to make an order stopping the flow of information between Ireland and the US, counsel added.

Mr Schrems has asked Mr Justice Hogan to quash that decision and direct Mr Hawkes to reconsider the complaint. He also wanted a preliminary reference to the European Court of Justice of issues arising from the case.

The Commissioner, who found Facebook acted within the terms of Safe Harbour, opposed his action. Mr Hawkes found Facebook had no case to answer and was in compliance with the relevant regulations.

Mr Schrems contended that the Data Protection Commissioner didn’t want to deal with the issue of Facebook because it is a “hot potato” which he does “not have the courage to take this on”, Mr McDermott said. The commissioner’s barrister rejected this and said Mr Hawkes was not afraid to take on big companies, noting that he was investigating 22 other similar complaints by Mr Schrems. Mr McDermott argued that Mr Schrems should seek remedy with the US authorities under Safe Harbour and if they would not deal with him he could then come back to the Data Commissioner .