Europe's highest court will today examine a complaint that United States technology companies and their Dublin-based subsidiaries participate in a global data dragnet in breach of European Union law.
In a case with far-reaching consequences for EU-US relations, the European Court of Justice (ECJ) will hear arguments arising from a complaint filed in Ireland last year with the High Court, demanding the State's data-protection commissioner investigate whether Facebook was in breach of EU law for allegedly passing European user data to US intelligence services.
The Luxembourg hearing follows a referral last year from the High Court with a request for clarity on 15-year-old rules governing data transfer between the EU and US.
Those rules, dubbed “Safe Harbour”, allow US companies process data collected in the EU once they “self-certify” that this processing meets EU standards of “adequate protection” even outside EU borders.
Privacy campaigners have long doubted the efficacy of the 2000 Safe Harbour regime, as has the European Commission and critics saw their worst fears confirmed in claims by Edward Snowden.
The former US National Security Agency (NSA) contractor alleges the agency operated a programme dubbed “Prism”, obliging major technology companies such as Google and Facebook to feed in data they collect on their users – directly or indirectly.
When Austrian privacy campaigner Max Schrems asked the data-protection commissioner to investigate how Facebook and its Irish subsidiary treat data originating in the EU, the Portarlington-based body said this was a political matter, beyond its remit.
Mr Schrems challenged this decision in the High Court, where his lawyers said the commissioner was not entitled to “turn a blind eye” to Snowden allegations that Facebook passed on data to the NSA.
They argue Facebook is subject to the Safe Harbour rules, which in turn are subject to the European Convention on Human Rights – and that the practices alleged by Mr Snowden undermine these.
The data proteciton commissioner found there was nothing to investigate because, in its view, Facebook was acting within the Safe Harbour provisions.
The then commissioner, Billy Hawkes, noted that the 2000 agreement also allowed for sharing of data should law-enforcement authorities request it.
Counsel for the commissioner defended the commission’s dismissal of the Schrems complaint as “frivolous or vexatious”, because it believed it had no prospect of succeeding.
It was not possible for the Irish body to make an order halting the flow of data between Ireland and the US, argued counsel for the commissioner.
The High Court noted evidence suggested a “mass and undifferentiated” access by US security authorities to EU personal data and adjourned the case pending the ECJ’s ruling on how Safe Harbor impinges on EU law.
Seven EU member states have made submissions to the court and may participate in oral arguments alongside the two main parties, as well as the European Parliament and the European Commission.
In November 2013 the commission warned that national security exceptions in Safe Harbour should be used “only to an extent that is strictly necessary or proportionate”.
The court has dealt with data-protection issues in two recent cases. In one case, it ruled that retaining data for up to two years violated the Charter of Fundamental Rights. In another, the court ruled that EU citizens have a right to request obsolete or incorrect data is removed from search engine results.
Privacy campaigners hope the court will rule to end Safe Harbour provisions, though ongoing data protection talks in Brussels mean the EU’s privacy goalposts are already in motion.