Maximilian Schrems v. Data Protection Commissioner

Maximilian Schrems v. Data Protection Commissioner, 2013 No. 765 JR (Ir. H. Court June. 18, 2014)

On June 25, 2013, the Austrian student group, Europe v Facebook, filed a formal complaint with the Irish Data Protection Commissioner (the “DPC”) against Facebook Ireland Ltd. (“Facebook Ireland”). The Complaint, brought in the name of Europe v Facebook member Maximilian Schrems, alleged that the revelations about the NSA’s Prism program showed that Facebook Ireland, which provides service to users outside the United States and Canada, had been and was violating the Irish Data Protection Act and the European Data Protection Directive by transferring users’ data to the United States for processing by Facebook Inc. By letter dated July 23, 2013 and email dated July 24, 2013, the DPC informed Mr. Schrems that he did not believe Facebook Ireland had violated the law and that there were no grounds for an investigation. On October 11, 2013, the DPC stated, in response to Mr. Schrems’ request for an agreement in regard to the cost of judicial review proceedings, that the complaint against Facebook Ireland was “frivolous or vexatious.

On October 21, 2013, the Irish High Court granted Mr. Schrems’ ex parte application to review whether the DPC’s failure or refusal to investigate the complaint was unlawful and whether a mandamus order should issue to compel the DPC to investigate the complaint and make a formal decision under Section 10(1)(b) of the Irish Data Protection Act. After preparatory hearings, the High Court scheduled a hearing on the merits for April 29, 2014.

After a hearing on the merits on April 29, 2014, Mr. Justice Hogan of the Irish High Court issued a Judgment  on June 18, in which he rejected both the DPC’s position that there was no need to investigate the complaint and European v Facebook’s position that the DPC should be ordered to conduct an investigation. Instead, the Judge referred the case to the European Court of Justice (the “ECJ”) for a re-evaluation of the scope of the Safe Harbor Agreement between the EU and the US, and adjourned the proceedings in Ireland until the ECJ’s decision was reached.

In deciding that a referral to the CJEU was warranted by “the general novelty and practical importance of these issues which have comsiderable practical implications for all 28 Member States of the European Union” (para. 71), Mr. Justice Hogan found that “the accuracy of much of the Snowden revelations does not appear to be in dispute.” Para. 13. Accordingly, his legal reasoning was based on the factual premise that “personal data transferred by companies such as Facebook Ireland to its parent company in the United States is … capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data.” Id. In addition, he found that “the essentially secret and ex parte nature of the FISA Court’s activities … cast a shadow over the extent to which non-US data subjects enjoy effective data protection rights in that jurisdiction so far as generalized and mass State surveillance of interception of communications is concerned.” Para. 15. The Judge did opine that the surveillance undertaken by the United States had “undoubtedly saved many lives and … helped to ensure a high level of security, both throughout the Western world and elsewhere. “ Para. 5. He concluded, however, that “[i]f this matter were entirely governedby Irish law, … a significant [constitutional] issue would arise as to whether the United States ‘ensures an adequate level of protection for the privacy and the fundamental rights and freedoms,’ such as would permit data transfers to that country ….” Para. 56.

The issue that Mr. Justice Hogan referred to the CJEU was whether Irish law (or the law of any EU member state) has any role to play in determining whether the United States affords the requisite level of protection for data to be transferred. Under both s. 11(2) of the Irish Data Protection Act 1988 and Article 25 (6) of the EU Data Protection Directive of 1995, findings by the European Commission in regard to the adequacy of the data protection afforded by non-EU states entirely pre-empt the law of Ireland or any other EU member state. In its Safe Harbor decision of July 26, 2000 (2000/520/E.C.) (O.J.L 215, 25th August, 2000), the Commission found that an adequate level of data protection is provided by companies in the United States that self-certify their compliance with certain principles established by the United States. The question that Mr. Justice Hogan referred to the ECJ was whether the Commission’s July 2000 decision, together with Article 25 (6) of the EU Data Protection Directive, precludes DPC’s from responding to complaints by independently investigating whether an adequate level of data protection is provided by companies in the United States that self-certify compliance with the Safe-Harbor principles. Alternatively, is room for independent investigation by DPC’s created by the fact that the EU Charter of Fundamental Rights, including Article 7’s provision for respect for private and family life and Article 8’s provision for protection of personal data, came into force after the Commission’s Safe Harbor decision?  Mr. Justice Hogan indicated that in determining “whether the Safe Harbour principles are still effective and functional some fourteen years after that decision and finding” (para 2), it was also necessary to consider the other crucial changes of “the enhanced threat to national and international security posed by rogue states, terrorist groupings and organized crime, disclosures regarding mass and undifferentiated surveillance of personal data by the US security authorities, the advent of social media …. Para. 67.

On July 16, 2014, Mr. Justice Hogan issued a final order referring the questions to the CJEU and adjourning the proceedings in his court pending the CJEU’s decision. Mr. Justice Hogan also ordered that Digital Rights Ireland Limited be joined as amicus curiae and limited Mr. Schrems’ costs to €10,000.

Leave a Reply