High Court to rule on data issues to bring to EU Court of Justice

A High Court judge will rule later on exactly what questions and information she should put before the Court of Justice of the EU for its consideration of the validity or otherwise of European Commission decisions approving EU-US data transfer channels.

Ms Justice Caroline Costello has heard four days of submissions from the Data Protection Commissioner, Facebook, Austrian lawyer Max Schrems, the US government and others concerning what should be before the CJEU.

The issues she must decide include what prominence should be given to articles 25 and 26 of the data protection directive. Article 25 requires EU member states to ensure, where the data of EU citizens is transferred to third countries, the latter provide an adequate level of protection. Article 26 allows for a derogation from article 25 and permits, once adequate safeguards are provided, transfers to third countries which do not provide adequate protection.

When the submissions concluded on Thursday, the judge said she would consider all of them before finalising the content of the questions and statement of facts to be put before the CJEU.

She will also decide whether to grant Facebook’s application to correct what it says are certain factual errors made in her judgment last October granting the commissioner’s application for a reference to the CJEU.

US government

In response to concerns raised by Sean O’Sullivan, on behalf of Mr Schrems, concerning the US government’s role in the CJEU case, the judge said she was satisfied she had no jurisdiction to limit the role of any party before the CJEU and would make no order in that regard.

Commissioner Helen Dixon sought the reference arising from a complaint by Mr Schrems that the transfer of his personal Facebook data to the US was done in breach of his data privacy rights as an EU citizen.

The commissioner brought the proceedings against Facebook Ireland, because its European headquarters are here, and Mr Schrems, who both opposed a reference for different reasons.

The US government, EPIC, the Business Software Alliance and Digital Europe were joined to the case as amici curiae, assistants to the court on legal issues.

Facebook argued US law and various measures including the 2016 Privacy Shield data transfer agreement between the European Commission and US afford adequate protection for data privacy rights of EU citizens.

Mr Schrems disputed that and opposed a reference on grounds the commissioner had adequate information to decide his complaint.

Standard contractual clauses

In her October judgment, Ms Justice Costello agreed to refer after concurring with the commissioner there were “well-founded” grounds for believing the European Commission decisions approving the data transfer channels known as standard contractual clauses (SCCs) were invalid.

Her judgment was primarily concerned with the EC data protection directive and its focus on whether third-country protections for EU citizens’ data privacy rights are “adequate”.

She held the commissioner had raised “well-founded” concerns about the absence of an effective remedy in US law compatible with the requirements of article 47 of the Charter of Fundamental Rights of the EU for an EU citizen whose data is transferred to the US “where it may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with articles 7 and 8 of the charter”.