Legal uncertainty surrounds the capacity of companies such as Facebook to transfer European users' data to the US after a High Court judge asked the most senior EU court to consider 11 questions on the issue.
The referral stems from a case taken by Austrian privacy activist Max Schrems.
The questions raise significant issues of EU law with huge implications, including whether the High Court has correctly found there is “mass indiscriminate processing” of data by US government agencies under the PRISM and Upstream programmes authorised there.
The questions also ask whether EU law applies to the processing of personal data for national security purposes regardless of whether that data processing takes place in the EU or US or other third country.
Other questions concern whether the Privacy Shield Decision and other measures in the US afford adequate protection for EU citizens whose data is transferred there. The ECJ is also asked to decide the extent of a data protection authority’s (DAA) power to suspend data flows if it considers a third country is subject to surveillance laws which conflict with EU law.
After Ms Justice Caroline Costello set out the questions on Thursday in a formal request to the ECJ for a preliminary ruling, Paul Gallagher SC, for Facebook, asked for time to consider that in the context of possibly seeking an appeal against the judge’s decision to make a reference to the CJEU in the first place.
Michael Collins SC, for the Data Protection Commissioner (DPC), queried whether there was any entitlement to appeal a High Court decision to direct a reference but did not object to Facebook being given a short time to consider its approach.
The judge, noting she had given judgment last October sanctioning a reference, said she was anxious to make the referral but would allow Facebook time to April 30th.
Among the questions for reference include whether, when deciding if data privacy rights of an EU citizen are breached, the issue must be examined against the EU Charter and EU law or the national law of one or more EU states, or an amalgam of the laws of all member states. The High Court had found the appropriate comparator was EU law despite Facebook disputing that.
The ECJ is also asked to decide, given findings by the Irish court concerning US law, whether personal data transferred from the EU to the US under the EC decisions violates the rights of individuals under Articles 7 and 8, dealing with personal and data privacy, of the EU Charter.
Other questions concern the factors to be considered in assessing whether the level of protection provided by a non-EU country to which data of EU citizens is exported accords with EU law.
The precise questions were formulated after the judge heard submissions from the sides on her October judgment on proceedings by the DPC concerning a complaint by Mr Schrems that the transfer of his personal Facebook data by Facebook Ireland to the US breached his data privacy rights as an EU citizen.
The data commissioner brought the proceedings against Facebook Ireland, because its European headquarters are here, and Mr Schrems, who both opposed a reference for different reasons. The US government, Washington-based Electronic Privacy Information Centre, Business Software Alliance and Digital Europe were involved as assistants to the court on legal issues.
Ms Justice Costello agreed to refer after concurring with the data commissioner there are “well-founded” grounds for believing the EC decisions approving data transfer channels, known as Standard Contractual Clauses (SCCs), are invalid. Her judgment was primarily concerned with the Data Protection Directive and its focus on whether third country protections for EU citizens data privacy rights are “adequate”.
She held the commissioner raised “well-founded” concerns about the absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights of the EU for an EU citizen whose data is transferred to the US “where it may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter”.
The judge has stressed her judgment was based on reports of five experts, who disagreed on a number of issues of US law, and it did not involve a “definitive” statement of the law of the US.
Following the judgment, the sides essentially agreed on the core issues for reference but disagreed on the wording of the questions.
Several of the issues concern Articles 25 and 26 of the Data Protection Directive. Article 25 requires EU member states to ensure, where transfers of data of EU citizens are transferred to third countries, the latter provide an adequate level of protection. Article 26 allows for a derogation from Article 25 and permits, once adequate safeguards are provided, transfers to third countries which do not provide adequate protection.
Also on Thursday, the judge provided amended copies to the sides of her October judgment after approving a small number of corrections of essentially technical errors in that.