Update on Schrems II case

The Data Protection Commissioner –and- Facebook Ireland Limited and Maximilian Schrems

Background

Ahern Rudden Quigley Solicitors having acted on behalf of Max Schrems in the successful “Schrems I” case, continue to act for Max Schrems in this ongoing legal battle that is heading to the Court of Justice of the European Union (CJEU) for the second time.

On the 12 April 2018 the High Court issued a Preliminary Reference consisting of 11 questions that the Court intends to refer to the CJEU.

What is the case about?

This case concerns the validity of Standard Contractual Clauses as a legal basis for transferring data from the EU to a third country.

What are Standard Contractual Clauses?

EU law in principle prohibits all data transfers outside of the EU, where the strict EU privacy laws do not apply. There are a number of exceptions to this general principle that, in effect, expand EU law through a business to business contract.

One of these exceptions are “Standard Contractual Clauses” (“SCCs”, also called “Model Clauses”) which is, in effect a contract that an EU data exporter and non-EU data importer enters into to permit the transfer of data between the two entities. Facebook currently uses SCCs between “Facebook Ireland” and “Facebook Inc”.

The Complaint

Mr Schrems made a complaint to the Data Protection Commissioner in 2013 in relation to Facebook’s alleged involvement in US mass surveillance, as disclosed by Edward Snowden. The first reference by the Irish High Court to the CJEU in 2014 led to the groundbreaking invalidation of the “Safe Harbor” Decision in 2015.

The complaint was remitted to the Data Protection Commissioner for investigation. As the “Safe Harbour” Decision had been invalidated, Facebook Ireland Limited indicated that they now relied on SCC’s as the legal basis for the transfer of data from Facebook Ireland Limited to Facebook Inc. In his reformulated complaint, Mr Schrems argued that Facebook could not rely on SCC’s in circumstances where there was extensive mass surveillance in the United States.

The Data Protection Commissioner issued a draft Decision on 24 May 2016 which concluded that there is no legal remedy compatible with Article 47 of the Charter of Fundamental Rights in the United States for EU citizens whose data is transferred to the United States.

The High Court proceedings

However, instead of using its powers to suspend the offending data flows as urged by Mr Schrems, the Data Protection Commissioner issued High Court proceedings naming Facebook Ireland Limited and Mr Schrems as defendants. Those proceedings sought a reference to the CJEU in order to obtain a preliminary ruling on the validity of the SCC’s.

Findings of the High Court

The High Court having heard this matter for 5 weeks made a number of findings of fact concerning the surveillance operations of US authorities. Significantly, the Court concluded that, pursuant to the operation of the PRISM and Upstream programmes established under s 702 of FISA, there is mass indiscriminate processing of data by United States government agencies.

In finding these facts, the Court determined that it was necessary to make a preliminary reference to the CJEU concerning the validity of the SCC Decisions, the use of standard contractual clauses and the exercise of the power of the Data Protection Commissioner to suspend data flows to a third country.

In short the questions that will be referred to the CJEU are as follows:

1. Where personal data is transferred by commercial entities to a third country for commercial purposes and is further processed by its national authorities for national security, law enforcement or conducting foreign affairs, does EU Law apply to such transfers?

2. In determining whether there is a violation of the rights of an individual through the transfers of data to a third country where it may be further processed for national security purposes is the relevant comparator:
a) EU Law; or
b) The national laws of one or more member states?

If the relevant comparator is (b) are the practices in the context of national security in one of more member states also included in the comparator?

3. When assessing whether a third country ensures the level of protection required by EU law to personal data, should the third country be assessed by:
a) The domestic law, international commitments and practices to include professional rules and security measures of the third country?
b) The rules referred to in (a) together with administrative, regulatory and compliance practices and policy safeguards procedures, protocols, oversight mechanisms and non judicial remedies as are in place in the third country?

4. Given the facts found by the High Court in relation to US Law, if personal data is transferred from the EU to the US under the SCC Decision, does this violate the rights of individuals under Article 7 and/or 8 of the Charter?

5. Given the facts found by the High Court in relation to US Law, if personal data is transferred from the EU to the US under the SCC Decision:
a) Does the level of protection afforded by the US respect the essence of an individual’s right to a judicial remedy for breach of data privacy rights as guaranteed by Article 47 of the Charter?
If the answer to (a) is yes,
b) Are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate and do not exceed what is necessary in a democratic society for national security purposes?

6. (1) What is the level of protection required to be afforded to personal data transferred to a third country pursuant to the standard contractual clauses adopted in accordance with the Directive and in light of the Charter?

(2) What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third county under the SCC Decision satisfies the requirement of the Directive and the Charter?

7. Does the fact that the standard contractual clauses apply between a data exporter and a data importer and do not bind the national authorities who may require the data importer to make the data available preclude the clauses from adducing adequate safeguards as envisaged?

8. If a third country data importer is subject to surveillance laws that, in the view of a data protection authority conflict with the standard contractual clauses, is the data protection authority required to use its enforcement powers to suspend data flows or is the exercise of those powers limited to exceptional cases only, or can a data protection authority use its discretion not to suspend data flows?

9. (1) Does the Privacy Shield Decision constitute a finding of general application binding on data protection authorities and courts of member states to the effect that the US ensures an adequate level of protection by reason of its domestic law or the international commitments it has entered into?

(2) If not what relevance, if any does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the US pursuant to the SCC Decision?

10. Does the Privacy Shield ombudsperson, when taken in conjunction with the existing regime in the US, ensure the US provides a remedy to data subjects whose data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter?

11. Does the SCC Decision violate Article 7, 8 and/or 47 of the Charter?

What happens next?

Facebook Ireland have indicated that they are considering an appeal to the Supreme Court. For that reason, the Court has listed the matter for 30 April 2018. In the event of an appeal, an application for a stay will be made by Facebook Ireland on that date. If Facebook Ireland decide not to appeal, the reference will proceed.