Ireland

[IE] High Court makes referral to the CJEU in Facebook Ireland case

IRIS 2017-10:1/22

Ingrid Cunningham

School of Law, National University of Ireland, Galway

The Data Protection Commissioner of Ireland (DPC) has been granted a referral by the Irish High Court to the Court of Justice of the European Union (CJEU) to determine the validity of three decisions of the Europe Commission insofar as they apply to data transfers from the European Economic area (the EEA) to the United States. The referral was granted in the proceedings by the DPC against Facebook Ireland Ltd. and Austrian lawyer Maximilian Schrems. The case was grounded in a complaint made by Mr Schrems in 2013 about the transfer of his personal data by Facebook Ireland Limited (Facebook) outside the European Union to Facebook Inc., in the United States for further processing. Mr Schrems argued that “the legal regime in the United States does not afford his personal data the protection to which he is entitled under European Law.”

Facebook informed the DPC that “it transfers data for processing to Facebook Inc, including Mr Schrems’s data, largely pursuant to an agreement between Facebook Ltd and Facebook Inc which in turn is based upon a decision of the European Commission Decision 2010/87/EU.” This decision “authorises the transfer of data by data exporters from the EEA to data importers outside the EEA on the basis of standard contractual clauses” (SCCs).

The DPC formed the view that Mr Schrems’s complaint raised issues as to the validity of the SCC Decisions having regard to the various provisions of the Charter of Fundamental Rights of the European Union, including Article 7 (respect for private and family life) and/or Article 8 (Protection of Personal Data). In light of the ruling of the CJEU in Schrems v Data Protection Commissioner (see IRIS 2015-10/2), invalidating the US Safe-Harbour Agreement, the Data Protection Commissioner instituted these proceedings in order that the validity of the SCC Decisions may be determined either by the High Court, or on the basis that the High Court makes a reference to the CJEU, which makes a ruling on the validity of the SCC decisions.”

Ms Justice Costello in the High Court stated that “the case raises issues of very major, indeed fundamental, concern to millions of people with the European Union”, and implications for billions of euros worth of trade between the European Union and the United States.

In a 153-page ruling, the judge found that the High Court had jurisdiction to make a reference to the CJEU for a preliminary ruling on the validity of the SCC Decisions under Article 267 of the Treaty on the Functioning of the European Union (TFEU). The judge reached this decision based on the “well founded concerns” as to the validity of those decisions raised by the DPD with which the High Court agreed. The judge stated that Union law guarantees a high level of protection to EU citizens as regards the process of their personal data within the European Union. Accordingly, EU citizens “are entitled to an equivalent high level of protection when their personal data are transferred outside the EEA."

The judge stated that the arguments advanced by the DPC “that the laws, and indeed the practices of the United States do not respect the essence of the right to an effective remedy before an independent tribunal as guaranteed by Article 47 of the Charter, which applies to the data of all EU data subjects transferred to the United States” are “well founded”.

Ms Justice Costello said that the European Commission’s adoption of the Privacy Shield decision with the United States in July 2016, (adopted after the CJEU in Schrems v Data Protection Commissioner declared the Safe Harbour Decision invalid), accepting that there is adequate protection for data transferred to the United States under the protocol, did not prevent her from making a referral. Justice Costello added that the introduction of an Ombudsperson mechanism in the Privacy Shield decision did not eliminate the DPC’s “well founded” concerns that the Ombudsperson mechanism does not remedy the issues identified regarding individual redress for wrongful interference with data privacy in the United States. The judge stated that a decision by the CJEU is required to determine whether the Ombudsperson mechanism amounts to a remedy.