Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems

In proceedings by the Data Protection Commissioner (“DPC”) that commenced on 7 February 2017 in the Irish High Court, the DPC is asking the High Court to make a Preliminary Reference to the Court of Justice of the European Union (“CJEU”) as to the validity of the “standard contractual clauses” (“SCCs”) mechanism under which personal data is currently being transferred from the European Union (“EU”) to the United States (“US”).

The DPC is not seeking orders against Facebook or Mr Schrems under these proceedings. The purpose of the action is to obtain legal clarification from the CJEU on the validity of the SCCs under which personal data is transferred from the EU to the US.

Background

This case arose from complaints made by Mr Schrems to the DPC on 25 June 2013 concerning the transfer of data, by Facebook, from the EU to the US. The complaint followed the Snowden disclosures which revealed surveillance by the US National Security Agency (“NSA”) of certain internet and telecommunications systems operated by companies including, Facebook, Microsoft and Google.

Mr Schrems was concerned that his data may have been accessed by the US state security agencies because his personal data was being transferred from Facebook Ireland Limited to its US parent company, Facebook Inc, under the “Safe Harbour” regime. The “Safe Harbour” regime was established by way of an EU Commission decision in 2000 which deemed the US to have an adequate level of data protection where the Safe Harbour regime was adhered to by parties involved in personal data transfers from the EU to the US.

The DPC declined to investigate Mr Schrems’ complaint as the DPC was bound under existing national and EU law to apply Safe Harbour. Consequently, Mr Schrems applied to the Irish High Court for a judicial review of the DPC’s decision. On 18 June 2014, Justice Hogan delivered his judgment holding that the essential question for determination was whether the DPC was bound by EU Commission’s decision on the “Safe Harbour” regime as regards the adequacy of data protection law and practice in the US.

The Irish High Court referred the issue to the CJEU because it did not have authority to make such a ruling. On 6 October 2015, the CJEU in Maximillian Schrems v Data Protection Commissioner (Case C 362/14) ruled that the “Safe Harbour” scheme was invalid.

On 20 October 205, Mr Schrems’ proceedings were returned before the Irish High Court and the decision of the CJEU was implemented by the making of a High Court Order which set aside the decision by the DPC not to investigate Mr Schrems’ complaint of 25 June 2013. The High Court then remitted Mr Schrems’ original complaint back to the DPC for investigation.

The DPC subsequently opened an investigation into Mr Schrems’ original complaint but he subsequently reformulated his complaint to take account of the fact that the “Safe Harbour” scheme was deemed invalid. Mr Schrems’ reformulated complaint was based on Facebook’s use of SCCs to authorise EU to US data transfers. On 24 May 2016, the DPC issued a draft decision which found that Mr Schrems raised “well-founded” objections. The DPC formed a preliminary view that using SCCs did not provide the level of protection necessary and that there were “deficiencies” in the rights of EU citizens to access remedies under US law for any breach of their data protection rights.

The DPC was of the view that they could not complete the investigation without a ruling on the validity of the SCCs. As a result, the DPC commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and a preliminary reference to the CJEU on this issue.

Animus Curiae

In light of the potential implications of this case, a number of international amicus curiae or “friends of the court” applied to be joined to the proceedings. On 19 July 2016, the High Court ruled that four of the ten parties be joined to the proceedings as “friends of the Court”.

AS a result, the US government, Business Software Alliance, the Electronic Privacy Information Centre and Digital Europe will be allowed to make representations to the Court in relation to the proceedings.

The US government will be seeking to claim that “significantly enhanced” protections have been put in place in recent years to ensure the privacy rights of EU citizens and has warned of the “sweeping” commercial ramifications should the CJEU find that the SCCs offer inadequate protection which could also undermine international co-operations to confront common threats.

Proceedings

The proceedings commenced before the High Court on 7 February 2017 and are scheduled to run for approximately three weeks.

DPC Opening Statement

Last week Michael Collins SC, acting on behalf of the DPC, urged the Court to ask the CJEU to decide whether the SCC channels were valid and to provide adequate protection for the rights of EU citizens if they shared the DPC’s doubts. He further stated that the DPC was not bringing the case for any vested interest or agenda but the DPC’s concern is “simply to get it right.”

Mr Schrems’ expert witness

On Friday 10 February 2017, Mr Schrems’ expert witness, US attorney Ashley Gorski of the National Security Project of the American Civil Liberties Union, disputed the US Government’s claims concerning the adequacy of the US safeguards.

Ms Gorski outlined the “broad authority” of the US government to access communications and data of non-US persons located abroad. She claimed that FISA provides an incredibly low threshold for targeting non-US persons which allows for any non-US person located abroad to be targeted for “foreign intelligence” without the need for that person to have any connection to criminal or terrorist activity.

Ms Gorski further noted there are few remedies available for EU citizens whose rights have been breached as the standing doctrine requires litigants to have notice and she argued that the vast majority of litigants don’t have such notice. Ms Gorski acknowledged that she had no direct knowledge of US surveillance programmes however she was of the view, as an advocate for civil liberties, that there were reasonable inferences to be drawn from the Snowden disclosures. She agreed that it is necessary for the US to protect itself against hostile attack and also agreed that she was not aware of any other country that makes publicly available the basis for its foreign intelligence gathering.