Today, 20th October, the Schrems case returned for a hearing to the Irish High Court and these are the key points that arose:

  • Mr Schrems (who was present in Court and had his costs awarded) was keen for the Irish Data Protection Commissioner (“DPC”) to begin its investigation as soon as possible in light of the delay since the case began and the possibility of the DPC delaying pending renegotiation of Safe Harbour;
  • Hogan J (the presiding Judge in the Irish High Court) held that the DPC had an independent duty to investigate and EU / US political developments that may or may not happen were irrelevant;
  • Counsel for the DPC stated that the DPC will investigate and there is no question of the investigation being delayed. He stated that the DPC had no difficulty with any aspect of the CJEU decision;
  • Hogan J held that it was plain that the European Commission decision in relation to Safe Harbour was invalidated as a matter of EU law;
  • As stated in his first judgment, Hogan J reiterated that based on Irish constitutional standards, the DPC would have been obliged to investigate but for Safe Harbour;
  • The court held that there can be no criticism of the DPC in the circumstances for taking the view that the DPC’s jurisdiction was pre-empted by the European Commission adequacy finding;
  • Now that Safe Harbour is invalidated the DPC’s earlier decision not to investigate must be quashed;
  • The further determination of Schrems’ complaint and whether it is based on EU or Irish law is a matter for the DPC;
  • The DPC must respect fair procedures as a matter of Irish constitutional law and Article 41 of the Charter of Fundamental Rights of the European Union;
  • Facebook applied to be joined in the proceedings insofar as they may be required for further orders or hearings. In the circumstances Facebook didn’t press this application as the DPC investigation was the clear next step as agreed by all parties.

So, in a nutshell, the DPC will now investigate Facebook’s EU to US data transfers so see whether or not they meet EU and Irish data privacy requirements. It will be interesting to see in that regard how much emphasis the DPC will put on the previous European Commission criticisms of the US data privacy regime including Safe Harbour: