Tech

Irish High Court asks European Court to rule on legality of EU-US data transfers

A High Court judge in Dublin has asked the Court of Justice of the EU to decide on the validity of EU-US data transfers, in a case that could have implications for trade between the EU and the US, and the privacy of millions of EU residents.

Justice Caroline Costello, ruling on a case originally brought by Austrian lawyer Max Schrems (pictured above) against Facebook Ireland, said there were “well-founded grounds” for believing the European Commission decision to approve data transfer channels known as Standard Contractual Clauses (SCCs) is not valid.

SCCs are widely used by businesses that transfer data to the US to comply with European data protection laws. They are meant to give EU citizens the same level of privacy when their data is stored in the US as they would receive in Europe.

Facebook Ireland began using Standard Contractual Clauses to transfer data about its users from Europe to the US following the collapse of the EU-US Safe Harbour agreement, in 2015.

Speaking outside the court in Dublin, Schrems said the decision could have significant implications for the way the US and European countries carry out mass surveillance.

“It may allow the Court of Justice to have a really big new judgement on mass surveillance and how far countries can go, which is especially relevant for what European countries do, because it is not also just the US, it is a lot of surveillance in the European Union as well,” he said.

Presenting her findings, in a 152-page judgement issued today (3 October 2017), the judge said it was “extremely important” that there be uniformity in the application of the relevant European Directive throughout the EU “on this very important issue”, and this required that there be “consistency and clarity”.

The decision follows a complaint originally brought by Max Schrems against Facebook Ireland to the Irish data protection commissioner, in 2013, in which he argued that Facebook was in breach of Safe Harbour.

He brought the case following revelations in The Guardian that the US National Security Agency (NSA) had direct access to data on European users of Facebook stored in the US.

Schrems’s objections ‘well-founded’

In a draft finding on May 2016, the Irish data protection commissioner found that Schrems had well-founded objections to his data being transferred to the US. She said there was a lack of remedies available in the US for EU citizens who allege breach of their data privacy rights.

The commissioner applied to the High Court to refer the case to the European Court of Justice (ECJ), for a ruling on whether the European Commission’s decision to approve the data transfer channels known as SCCs was valid. She argued that she wanted the ECJ’s view before she finalised her decision on Schrems’s complaint.

Facebook Ireland, which has its headquarters in Dublin, and Schrems were defendants in the case. The US government, Business Software Alliance and civil liberties groups were among several parties joined to the case to provide advice to the court.

“[The decision] may allow the Court of Justice to have a new judgement on mass surveillance and how far countries can go”
Max Schrems, Austrian lawyer who made a privacy complaint against Facebook

Schrems opposed a referral to the Court of Justice, arguing the commissioner had enough information to finalise his complaint without it.

He said in a statement today: “It is still unclear to me why the data protection commissioner is taking the extreme position that SCCs should be invalidated across the board, when a targeted solution is available. The only explanation I have is that they want to shift the responsibility back to Luxembourg instead of deciding for themselves.”

Facebook also opposed Dixon’s referral to the EU court. It argued with the US government that US law and other measures gave adequate data privacy rights to EU citizens.

That was disputed by Schrems and civil liberties groups including the Washington-based Electronic Privacy Information Center (EPIC).

Court hears new evidence on US surveillance

The judge reserved judgement on the 21-day case in March, but later agreed to a request from the US government to receive information about “significant” new developments in the matter.

They included a decision of the US Foreign Intelligence Surveillance Court (FISC) on 26 April 2017, which addressed the failure of US agencies to comply with surveillance restrictions imposed by the FISC and restraining collection of certain categories of data.

Another development was a decision by the US Court of Appeals for the Fourth Circuit that Wikimedia had the necessary legal standing to challenge the Upstream surveillance program. Upstream gives the NSA the ability to harvest emails and internet traffic from internet cables in the US and around the world.

Both the Irish data commissioner and Schrems argued the developments had no significance for the issues the court had to decide.

In her judgement, Costello said she considered it “necessary and appropriate” to refer a decision about Standard Contractual Clauses to the European Court of Justice. She said she did not consider she had to refuse to refer as a result of the recent Privacy Shield agreement between the EU and US. She will hear submissions as to the precise wording of the questions to be referred to the ECJ later.

“Given that the SCCs are relied on by 88% of EU companies transferring data outside the EU, the implications are potentially even more significant than the end of Safe Harbour”
Brian Johnston, London law firm Bristows

Speaking outside the court, Schrems described the Irish data protection commissioner’s view that SCCs could be invalidated across Europe as an extreme position.

“Our position is that the data protection commissioner can, in individual cases, suspend data flows under the so-called Article 4 of the Standard Contractual Clauses, so I think this is maybe where this case is going.”

Lawyer Brian Johnston, associate in the data protection team at law firm Bristows, said today’s judgement could have far-reaching consequences for European organisations that share their data with the US.

“Given that, according to recent surveys, the Standard Contractual Clauses are relied on by 88% of EU companies transferring data outside the EU, the implications are potentially even more significant than the end of Safe Harbour in 2015,” he said.

Show More

Related Articles