High Court ruling opens way to bigger victory for activists

Facebook privacy case: Judge admits gaping hole in US data protection

Thu, Jun 19, 2014, 10:19

Last June, Austrian law student Max Schrems wrote to the Data Protection Commissioner asking him to investigate the transfer of EU citizens’ data by Dublin-based Facebook to the US security authorities.

Schrems argued that the disclosures by whistleblower Edward Snowden, which showed the mass collection of personal data by the US intelligence services, showed there was no meaningful protection of that information in US law or practice.

The commissioner, Billy Hawkes, agreed to investigate 22 other complaints by Schrems, but not this one. His stance was rooted in his understanding of Irish and EU law on the topic.

Transfer ban

The Data Protection Act 1988 includes a general ban on transferring data outside of the State save where the foreign state ensures an adequate level of protection for the rights and freedoms of the individuals concerned.

But the legislation also allows for Irish law to be pre-empted by EU law where the European Commission has found data protection to be adequate in the third country – in this case, the United States. Given that the transfer of data from firms in the EU to the US was subject to the transatlantic Safe Harbour regime – enshrined in a European Commission decision of 2000 – and Facebook had signed up to Safe Harbour, Hawkes felt there was nothing left for him to investigate.

At issue in the High Court proceedings was whether the commissioner was right or wrong in his decision not to investigate the complaint.

Mr Justice Gerard Hogan was sympathetic to Hawkes’s position. As the EU had in effect declared the US provided adequate protection for data handled by firms which operated the Safe Harbour programme, the commissioner felt bound by that. Hawkes had demonstrated “scrupulous steadfastness” to the letter of the 2000 decision and the EU’s 1995 data protection directive.

‘Overtaken by events’

What the judge said next could have far-reaching implications, however. There was, he observed, “perhaps much to be said for the argument that the Safe Harbour regime has been overtaken by events”. The Snowden revelations had exposed gaping holes in US data protection practice, while the coming into force of article 8 of the EU Charter of Fundamental Rights, which sets down a specific right to protection of personal data, suggested a re-evaluation of the 2000 decision and the 1995 directive might be necessary.

The question posed by Mr Justice Hogan is whether, as a matter of European Union law, Hawkes is bound by the 2000 decision on the adequacy of US data protection practice, given what was subsequently enshrined in the Charter of Fundamental Rights, which came into force with the Lisbon Treaty in 2009. Or could the data commissioner simply disregard the 2000 decision?

In view of the “general novelty and practical importance” of these issues, the judge decided to adjourn the case and refer the key questions to the European Court of Justice in Luxembourg.

So Schrems hasn’t quite managed to have the Data Protection Commissioner overruled, but it’s clear a potentially much bigger victory is now in sight for him and fellow privacy activists.

Sign In

Forgot Password?

Sign Up

The name that will appear beside your comments.

Have an account? Sign In

Forgot Password?

Please enter your email address so we can send you a link to reset your password.

Sign In or Sign Up

Thank you

You should receive instructions for resetting your password. When you have reset your password, you can Sign In.

Hello, .

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

Thank you for registering. Please check your email to verify your account.

We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.
From Monday 20th October 2014 we're changing how readers sign-in to comment, click here for more information.