All you need to know in the Max Schrems-Facebook case

Q&A: Your questions answered on the Data Protection Commissioner privacy case

What is this case about and why is it important?

At its core, it is the latest in a line of cases involving challenges on privacy grounds to the various methods by which companies transfer the personal data of EU citizens to countries outside the European Economic Area (EEA), mainly the US. The focus on privacy rights has grown hugely since 2013, following the revelations about US surveillance by former NSA security contractor Edward Snowden.

Data Protection Commissioner Helen Dixon is asking the High Court to refer to the Court of Justice of the European Union (CJEU) the question of whether so-called standard contractual clauses (SCCs) used by companies to transfer personal data are valid.

The clauses are among a number of data transfer frameworks approved by the European Commission under existing EU data protection laws. They are designed to ensure that European citizens enjoy the same level of protection for their personal data when it is processed in the US as when processed in the EU.


How many companies use standard contractual clauses?

The European Commission has no exact figure available for the number of firms using SCCs to transfer their data, but one US estimate suggests that about 80 per cent of companies transferring data from the EU to the US use them. If they were were ultimately to be struck down by the CJEU, many businesses might come to a grinding halt without an alternative as they would be unable to carry out normal, day-to-day activities in countries outside the EEA.

Aren’t there other methods of legally transferring data available?

Yes. Slightly more than 1,700 companies use the Privacy Shield framework agreed between the US and EU last July. It was designed to give EU citizens several avenues of redress if they believed their personal data had not been treated appropriately in the US.

Privacy Shield will be reviewed in the coming months, but it is already facing multiple legal challenges, including one from Irish privacy campaign group Digital Rights Ireland and one from a French privacy group.

Some firms may also use a mechanism known as binding corporate rules, where they are transferring data within a group of companies based in different jurisdictions.

A new EU regulation, known as the general data protection regulation, will come into force in May next year; it will apply to businesses processing the personal data of citizens in the EU, even if they are established outside the EU.

How did this case come about?

Max Schrems filed a complaint with the DPC in 2013 about data transfers by Facebook Ireland to the US in the wake of the Snowden revelations, including the existence of the Prism spying programme. His complaint ultimately ended up before the CJEU in October 2015 and that court struck down the Safe Harbour framework then used by about 4,500 companies, including Facebook, to transfer data to the US.

Facebook subsequently switched to using standard contractual clauses and it believes these provide adequate privacy protections for its customers and that there is no need to refer the question to the CJEU.

Schrems, who filed a fresh complaint against Facebook last year, believes the commissioner could have used her existing powers to halt the data transfers under the standard contractual clauses. The commissioner says that because the SCCs are established under a decision of the European Commission, only the court can make a ruling to the effect that the mechanism is invalid.

Who are the parties in this case?

In what some legal observers consider an unusual move, the commissioner has named Facebook Ireland and Austrian privacy campaigner and lawyer Max Schrems in the proceedings. In another unprecedented move, the US government has asked to join the case as an amicus curiae, or “friend of the court”.

Three other parties are also joined as amicii curiae: the Business Software Alliance representing the global software industry, Digital Europe, representing the technology industry in Europe, and the privacy group Electronic Privacy Information Centre (Epic), which will be represented in court by the Free Legal Advice Centres (Flac).

What does the commissioner say?

On May 24th last year, the DPC issued a draft decision to Schrems and Facebook, saying she had formed the preliminary view that Schrems’s complaint was well-founded. Among other things, the commissioner said a legal remedy was not available in the US to EU citizens whose data was transferred to the US where it may be at risk of being accessed and processed by US state agencies for national security purposes.

Who is Max Schrems?

The Austrian privacy campaigner and lawyer established the group Europe v Facebook after examining the huge file of information he discovered the company held on him based on his friends, “likes” and private messages.

On its website, the group questions whether EU data protection laws are enforceable in practice.

“The right to data protection is a fundamental right in the European Union, but at the same time very (few) companies respect it,” it contends.

A class action case being taken by Schrems against Facebook on behalf of 25,000 individuals has been referred to the CJEU by Austria’s highest court.

When does the case open?

The proceedings open on before Ms Justice Caroline Costello at the commercial division of the High Court on Tuesday.