Today the Schrems v. Irish Data Protection Commission case was brought before the Court of Justice of the European Union (‘CJEU’) for an oral hearing, following referral by the Irish High Court. While the final ruling by the CJEU is to be awaited until June 24, it is expected that it may impact the (further existence of the) Safe Harbor Decision governing EU-US data flows. This may affect not only US companies participating in the PRISM program, but also other US organisations that rely on their Safe Harbor certification for EU-US personal data flows.

The proceedings were initiated by Maximilian Schrems – an Austrian privacy activist with a PhD in law – who contacted the Irish Data Protection Commission (DPC), i.e. the data protection authority (DPA) which has regulatory competence of Facebook Ireland Ltd in Ireland. Mr. Schrems, a Facebook user, expressed his concerns to the Irish DPC about the transfer of his data to Facebook in the US, referring to the mass surveillance of data by the NSA, and asked the Irish DPC to stop Facebook Ireland Ltd from transferring his personal data to the Facebook US headquarters. Following refusal by the Irish DPC to grant the request, Mr. Schrems brought the case before the Irish High Court, which subsequently referred the following questions to the CJEU:

  1. Is a DPA bound by an adequacy decision of the European Commission for a third country if it is claimed that the laws and practices of such third country do not contain adequate protection for the individuals concerned?; and
  2. May DPAs alternatively conduct their own investigation of the adequacy of a third country in light of factual developments since the Commission Decision on the adequacy of that third country was published?

Today’s oral hearing before the CJEU was attended by the 12 parties who had previously laid down written submissions (including 7 EU Member States, the European Parliament, European Commission, Mr. Schrems and the Irish DPC) as well as by other organisations such as the European Data Protection Supervisor. Each of the parties clarified their position during the hearing of today, and the topics on the table included the validity of the Safe Harbour Decision, its binding nature, the current adequacy level of the US and the powers of DPAs to suspend data flows to Safe Harbour certified organisations under certain circumstances.

The European Commission in particular was placed in the hot seat today, having to justify its adequacy decisions and to respond to a series of questions by the CJEU.

The ruling of the CJEU in the present case is expected on 24 June. While the validity of the Safe Harbour Decision does not form the subject matter of the present case, it is nevertheless expected that the ruling may have an impact on the further existence of the Decision, especially considering that when the European Commission could not confirm that the US still provides for an adequate level of protection, when asked by the CJEU.

We note that Mr. Schrems is also the initiator of a second lawsuit against Facebook, a class action involving over 25,000 participants, claiming that Facebook is in violation with European data protection laws. A first hearing of this lawsuit will take place on 9 April before the Austrian courts.