Following the Safe Harbour CJEU decision, the Irish High Court on 20 October 2015 made an order quashing the decision of the Data Protection Commissioner (DPC) to refuse to investigate Mr. Schrems' complaint and remitted the complaint back to the DPC for investigation.
In light of the CJEU ruling, Mr. Schrems was invited to reformulate and update his complaint. He claimed that, due to the transfer of his personal data from Facebook Ireland to Facebook Inc. in the US, and based on the mass surveillance programs active in the US (as unveiled by Edward Snowden) his personal data was processed by US government authorities. This processing, however, was not compliant, according to Mr. Schrems, with the provisions of the European Charter of Fundamental Rights (ECFR) and requested the DPC to suspend data flow from Facebook Ireland to its US parent company, according to the provision of Article 4(1) of the EU Commission Decision 2010/87/EC (the Controller to Processor SCC, or the SCCs).
The DPC's investigation proceeded on two strands: first, it focused on establishing whether Facebook continued to transfer personal data to the US. As the company confirmed, the transfer of data between Facebook Ireland and its US parent company was based, as of 20 November 2015, on an agreement between the two companies drafted according to the EU Commission Decision 2010/87/EC (SCCs), as well as on other (not disclosed) legal bases. The second strand of the DPC's investigation intended to verify whether the US laws ensure an adequate level of protection for the privacy rights of EU citizens and, if not, whether the SCC decisions can offer adequate safeguards in that respect.
The DPC came to the conclusion that there appeared to be deficiencies in the remedial mechanisms available under US law for EU citizens whose personal data is transferred to the US. The said remedies are indeed either fragmented or subject to limitations, they are applicable only in determinate circumstances and therefore do not offer the protection of the privacy rights that EU citizens are entitled to, according to Articles 7 and 8 of the ECFR. In addition, the DPC was of the opinion that the safeguards put forward by the SCC did not appear to address the issue of the absence of a remedy compatible with Article 47 of the ECFR, also considering that SCC are only applicable between the signatories and cannot be binding on any US government or public body.
The DPC concluded that it was not possible to close the investigation without a ruling from the CJEU on the validity of the SCC decisions. They therefore commenced proceedings before the Irish High Court to seek a preliminary reference to the CJEU on the issue of the validity of the SCC decisions.
In its ruling of 3 October 2017, the Irish High Court analyzed the mechanisms that, according to EU law, allow transfer of data to a third country and notably: (i) a Commission adequacy decisions according to Article 25(6) of the Directive 95/46/EC ("Directive"); (ii) one of the six derogations listed on article 26(1) of the Directive; (iii) an authorization by a member state adopted pursuant to Article 26(2) of the Directive; or (iv) a Commission decision adopted pursuant to Article 26(4) of the Directive. The SCC decisions refer to the last type. The Irish High Court then looked into the level of protection required to be afforded to personal data transferred to third countries, pursuant to standard contractual clauses adopted according to Article 26(4) of the Directive, read in light of the provision of the ECFR and focused both on the available remedies for EU citizens who claim unlawful processing of their personal data in the US, as well as on the overall analysis of the relevant legal regime in the US.
The high court found that:
"despite the number of possible causes of action, it cannot be said that US law provides the right of every person to a judicial remedy for any breach of [their] data privacy by its intelligence agencies. On the contrary, the individual remedies are few and far between and certainly not complete or comprehensive" (par. 234).
In addition, the Irish High Court concluded that the ombudsman mechanism, introduced by the Privacy Shield regime, did not remedy the issues with regard to the existence of individual redress in the US.
The Irish High Court, therefore, concluded that in order for the DPC to close its investigation on Mr. Schrems' complaint it was necessary to analyze the validity of the SCC decisions. According to the Schrems I (Safe Harbour) ruling, however, the issues could only be resolved by a decision of the CJEU. To this end, the Irish High Court submitted 11 questions to the CJEU for preliminary ruling. The full text of the 11 questions, together with a summary of the underlying facts and issues can be accessed here.