CJEU reference from Irish High Court on whether data transfers to US by Facebook comply with EU law

21 Nov 2017

The transfer of personal data from EU Member States to third countries such as the United States is prohibited under the Data Protection Directive (95/46/EC) unless the level of protection afforded by the third country is adequate to provide essentially the same level of protection for personal data that EU citizens enjoy under EU law and the Charter of Fundamental Rights of the EU. Following the Edward Snowden revelations in 2013 concerning the extent to which the US security services engaged in extensive surveillance programmes of internet and telecommunication systems operated by companies such as Microsoft, Apple, Facebook and others, the European Commission adopted a “Safe Harbour” decision providing for procedures under which such data could be transferred to the US. On foot of a reference made in proceedings brought in Ireland by Max Schrems, the CJEU, in a decision of the 6th of October 2015, declared the Safe Harbour decision of the Commission to be invalid.

The Commission subsequently adopted certain decisions known as the Standard Contractual Clauses (SCC) decisions under which a data exporter in the EU (such as Facebook which transfers its EU customers’ data from Ireland to the US) could lawfully transfer data to countries such as the US if the data exporter and importer put in place an agreement which complied with the relevant SCC. Mr. Schrems reformulated his complaint to the Irish Data Protection Commissioner to the effect that the SCCs, even if complied with, did not in fact afford EU citizens the level of protection required under the Directive in order to comply with Articles 7 (respect for private and family life), 8 (protection of personal data) and 47 (right to an effective remedy and to a fair trial) under the Charter. Having considered his complaint, the Data Protection Commissioner, Helen Dixon, considered that his complaint was well-founded and she brought proceedings before the Irish High Court for the purpose of making a reference to the CJEU to adjudicate on the validity of the SCC Commission decisions. As Mr. Schrems’ complaint related to the transfer of his data by Facebook Ireland Limited to Facebook in the US, she joined Facebook Ireland Limited and Mr. Schrems as defendants. A large number of persons applied to be joined as amici curiae and the High Court joined four parties as amici curiae to the proceedings including the United States of America.

After a five week oral hearing which included evidence from five experts on US law concerning the nature and extent of the level of protection for personal data and remedies for infringements in the US, the High Court (Costello J.) formed the view that there appeared to be well-founded concerns that there is an absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter for an EU citizen whose data are transferred to the US where the data may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter. She formed the view that the safeguards purportedly constituted by the SCCs do not appear to address the well-founded objection that there is an absence of a remedy in the US compatible with Article 47 of the Charter, particularly having regard to the standing requirements under US constitutional law.

Costello J. accepted the arguments of the Data Protection Commissioner that she had jurisdiction to make a preliminary ruling on the validity of the SCC decisions; that the court was not obliged to reject the application by reason of the adoption by the Commission of another mechanism for data transfer known as the EU – US Privacy Shield decision; that the Data Protection Commissioner’s well-founded concerns as to the absence of an effective remedy in US law compatible with the requirements of EU law and the Charter were not eliminated by the introduction of the Privacy Shield decision; that an issue also arose as to whether the exceptional discretionary power conferred on the Data Protection Commissioner by Article 28 of the Directive to suspend or ban the transfer of data to a data importer in a third country on the basis of the legal regime in that third country is sufficient to secure the validity of the SCC decisions.

In her judgment she pointed out that “[t]he case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond. First, it is relevant to the data protection rights of millions of residents of the European Union. Secondly, it has implications for billions of euro worth of trade between the EU and the US and, potentially, the EU and other non-EU countries.  It also has potentially extremely significant implications for the safety and security of residents within the European Union.”

Following the delivery of the High Court’s decision on the 3rd of October 2017, the Court is shortly due to hear submissions on the form of questions to be referred to the CJEU.

Michael M. Collins SC acted for the Data Protection Commissioner.