A High Court judge has asked the Court of Justice of the EU (ECJ) to determine the validity or otherwise of European Commission decisions approving EU-US data transfer channels used by Facebook and others.
The case has potentially huge implications for billions of euro worth of trade between the two blocs and the data privacy rights of millions of EU citizens, as well as their safety and security, Ms Justice Caroline Costello noted.
Facebook and the US government had opposed the Irish Data Protection Commissioner’s application for a referral but the judge agreed to refer, concurring with the commissioner that there are “well founded” grounds for believing European Commission decisions of 2001, 2004 and 2010 approving data transfer channels known as Standard Contractual Clauses are invalid.
EU law guarantees a high level of protection to EU citizens on the processing of their personal data within the EU. Citizens are entitled to “an equivalent high level of protection” when their personal data is transferred outside the European Economic Area, she said.
The Data Protection Commissioner, Helen Dixon, had raised "well-founded" concerns about the absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights of the EU for an EU citizen whose data is transferred to the US "where it may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter".
Having analysed evidence concerning US surveillance programmes, it is clear there is “mass, indiscriminate processing” of data by the US government agencies, she said.
There were several “very significant barriers” to individual EU citizens obtaining any remedy for unlawful processing of their personal data by US intelligence agencies. Judicial remedies “are few and far between and certainly not complete or comprehensive”.
Ms Justice Costello said the European commission’s July 2016 adoption of Privacy Shield with the US – accepting that there is adequate protection for data transferred to the US under the protocol – did not prevent her, as Facebook and the US had argued, making a referral. The ombudsman mechanism in the Privacy Shield does not afford EU citizens judicial protection or eliminate the data commissioner’s concerns, she added.
An ECJ decision was necessary to determine whether the Data Protection Commissioner’s “exceptional discretionary power” under the 1995 Data Protection Directive to suspend or ban transfer of data to a data importer in a non-EU country on the basis of the legal regime in that country is sufficient to secure the validity of the Standard Contractual Clauses decisions.
It is important to have “uniformity” in the application of the directive throughout the EU and only an ECJ decision could resolve potential for inconsistent applications of the directive.
The judge stressed that she was concerned primarily with the Data Protection Directive and its focus on whether third country protections for EU citizens data privacy rights are “adequate” and involved no decision or value judgment by her on the merits of data transfer laws and choices of the EU and US.
Submissions will be made later concerning the precise wording of questions to be decided by the European court before the matter is formally referred.
Ms Dixon sought referral after reaching a draft view that Austrian lawyer Max Schrems had raised "well-founded" objections over the transfer of his personal data to the US.
Mr Schrems’ complaint in 2013 alleging that the transfer of his personal data by Facebook Ireland to its US parent, Facebook Inc, was unlawful under Irish and EU law previously lead to the High Court referring issues to the ECJ, resulting in the European court striking down the previous protocol - Safe Harbour – for data transfers.
Mr Schrems’ reformulated complaint concerning transfer to and processing of his data in the US was then investigated by the Data Protection Commissioner who, in a draft finding of May 2016, held he had well-founded objections to his data being transferred based on her views about the adequacy of remedies available in the US for EU citizens who allege breach of their data privacy rights.
The commissioner then took proceedings for a referral, saying she wanted the ECJ view on the validity of the Standard Contractual Clauses decisions before she finalised her decision on Mr Schrems’ complaint. Her case was against Facebook Ireland because Facebook’s European headquarters are here and Mr Schrems, but no orders were sought against them.
The US government, the Business Software Alliance, Digital Europe and the Washington-based Electronic Information Privacy Center were joined to the case to assist the court on legal issues.
Mr Schrems opposed referral, arguing it was unnecessary and that the commissioner had enough information to finalise his complaint without it. Facebook also opposed referral but on different grounds. It and the US government argued US law, Privacy Shield and other measures afford adequate protection for data privacy rights of EU citizens.
Ms Dixon said she hoped the issues would be addressed by the European court as soon as possible “to provide certainty for data subjects and controllers alike”.
Mr Schrems said he was of the view that the standard contractual clauses were “perfectly valid” and that the European Commission decision allowed the commissioner to suspend “individual problematic data flows, such as Facebook’s”.
Facebook said it was essential that the ECJ now consider the “extensive evidence demonstrating the robust protections in place under standard contractual clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe”.
Liability for costs of the substantial case, which ran for 21 days, will be decided later.