Judge will take time to seek answers from EU court over Max Schrems Facebook privacy fight

The Irish High Court will take time to decide what questions to put before the European Court of Justice in a case with significant implications for EU and US trade and the privacy of EU citizens

The Irish High Court will take time to rule what questions it will put to the Court of Justice of the European Union (CJEU) as part of a landmark privacy case that will decide whether data transfers between the EU and the US are legally valid.

Justice Caroline Costello made the announcement after four days of submissions from the data protection commissioner of Ireland, Austrian lawyer Max Schrems (pictured above), Facebook, the US government and others, in the High Court in Dublin last week.

The case – part a long-running legal battle between Schrems and Facebook over data privacy – has implications for EU-US trade that could run into billions of euros, and for the data rights of millions of EU citizens and their safety and security.

The Schrems case has so far cost the Irish data protection commissioner the equivalent of half her normal annual budget, it emerged last week.

The judge said she would consider all submissions before finalising the content of the questions and the statement of facts to be put before the European Court, following the hearings which concluded on 11 January.

She will also decide whether to grant an application by Facebook to correct what the tech company argues are ‘certain factual’ errors made in her judgement in October 2017, which granted an application by the Irish data protection commissioner to refer questions on EU-US data transfers to the CJEU for adjudication. 

Concerns over US government involvement in legal proceedings

Sean O’Sullivan, representing Schrems, raised concerns during the hearing about the US government’s role in the CJEU case. The judge said she was satisfied she had no jurisdiction to limit the role of any party before the CJEU and would make no order against the US.

Helen Dixon, data protection commissioner for Ireland, referred the matter to the Court of Justice in October, following a complaint by Schrems that the transfer of his personal Facebook data to the US breached his data privacy rights as an EU citizen. 

The commissioner subsequently brought proceedings against Facebook Ireland, which has its European headquarters in Dublin, and Schrems. Both opposed her referral of the case to the Court of Justice – for different reasons.

Facebook argued US law, and measures including the 2016 Privacy Shield data transfer agreement between the European Commission and the US, gave adequate protection for data privacy rights of EU citizens. 

Read more about Max Schrems and Facebook

Schrems disputed that, and opposed the commissioner’s reference to the CJEU, arguing that she had adequate information to decide his complaint.

The US government; the Electronic Privacy Information Centre, a Washington-based non-profit organisation; the Business Software Alliance; and Digital Europe, which represents digital technology companies in Europe, were joined to the case as amici curiae – assistants to the court on legal issues.

In a 152-page judgement last year, Justice Costello decided to refer the case to the European Court of Justice after agreeing with the commissioner there were “well-founded” grounds for believing the European Commission decisions approving the data transfer mechanisms, known as Standard Contractual Clauses (SCCs), were invalid. 

SCCs are widely used by businesses that transfer data to the US, to ensure they comply with European data protection laws. They are meant to give EU citizens the same level of privacy when their data is stored in the US as they would receive in Europe.

The court ruled in 2017 that the Irish data protection commissioner had raised “well-founded” concerns about the absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights of the EU, which guarantees the right to a fair trial, when an EU citizen’s data is transferred to the US.

At issue is the transfer of data about EU citizens to the US, “where it may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter”.

The judge will need to decide, among other issues, what prominence she should give to two articles of the Data Protection Directive, before finalising findings of fact and questions that should be put to the Court of Justice.

Article 25 requires EU member states to ensure that data on EU citizens is only transferred to countries outside the EU if they offer an adequate level of data protection. Article 26 permits transfers to third countries which do not provide adequate protection, if safeguards are agreed. 

Schrems case eats into Irish data watchdog’s budget

The Irish data commissioner is one of the smaller regulators in the EU, and the cost of the Schrems case was almost half the original budget for her office.

The data commissioner’s total budget for last year, following an additional grant of 2.8m in mid-year, was 7.8m. The cost of the specific litigation involving Schrems and Facebook was given as just under 2m following Freedom of Information (FOI) requests from the Irish Independent.  

The Schrems litigation has attracted criticism in legal and political circles in Dublin, and is likely to be the focus of additional FOI queries to see if the EU supported the Irish government with a grant for the case.

The hearings follow a complaint originally brought by Max Schrems against Facebook Ireland to the Irish data protection commissioner, in 2013, in which he argued that Facebook was in breach of Safe Harbour, following revelations in The Guardian that the US National Security Agency (NSA) had direct access to data on European users of Facebook stored in the US. 

Read more on Privacy and data protection