What Judge Gerald Hogan described as a case of “transcendent international importance” returned to the Irish High Court for the last time today. More than a year ago, the same judge had referred questions in Schrems v. Data Protection Commissioner to the Court of Justice of the European Union (CJEU) in Luxembourg. Those questions asked whether the Irish Data Protection Commissioner (DPC) could investigate Max Schrems' compliant that Facebook was transferring his personal data to the U.S. The CJEU went further than simply answering the questions it was asked and went on to find invalid the “Safe Harbour Decision” under which this data was being transferred.
Because this Safe Harbour Decision appeared to permit these trans-Atlantic transfers, the Irish DPC had originally held that Schrems' complaint was “frivolous and vexatious." This rather unfortunate phrase is to be found in Section 10 of the Irish Data Protection Acts. The Irish Courts have clarified that the use of this phrase does not meant that a complaint was “foolish or silly” but rather that it was “ … futile, misconceived or hopeless." And until the CJEU held that the Safe Harbour Decision was invalid, it was clear that the DPC did not have a basis for investigating Schrems' compliant.
That decision was today quashed by the High Court. And the DPC’s investigation of Schrems' complaint will now proceed. Counsel for Schrems did express concern that this investigation would be “long-fingered," however counsel for the DPC responded that there was “no question” of this happening. Judge Hogan declined to make an order directing that the DPC conduct an investigation “ … as she had said she would do so with all due speed.” Hogan declined to express any further views on the matter, though he did award Schrems his costs.
Facebook had applied to be joined as a party to the case, but did not proceed with its application as the proceedings were effectively at an end.
What happens now?
The DPC’s investigation will now commence under section 10 of the Irish Data Protection Act. Those acts require that the DPC endeavors to arrange for the “amicable resolution” of Schrems' compliant, but the DPC’s inability to arrange for such a resolution cannot block her investigation. Those acts go onto provide that the DPC may “ … carry out or cause to be carried out such investigation as … she considers appropriate in order to ensure compliance with the … Act and to identify any contravention thereof.”
The complaint made by Schrems is basically that Facebook is transferring data outside the European Economic Area contrary to section 11 of the Irish Data Protection Acts. The DPC’s investigation of this complaint may break down into three stages.
First, the DPC may have to consider whether the “the data subject has given his or her consent to the transfer” or “the transfer is necessary for the performance of a contract between the data subject and the data controller.” If this is the case, then the prohibition on transfers outside the EEA may not apply. This therefore means that the DPC may have to consider the terms and conditions that Schrems agreed to when he signed up to Facebook.
Secondly, the DPC may have to consider whether the U.S. “ … ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer …” In considering this question, the DPC will have to consider a variety of factors before making her decision, such as: the nature of the data; the purposes for which are to be processed; the country of destination of the data; the law in force in that country; any security measures taken in respect of the data in that country, and the international obligations of that country.
Finally, before the DPC can issue a Notice prohibiting transfers outside the EEA she must “ … consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.”
So the DPC has a lot to consider, and the consideration of these issues may take some time.
If you want to comment on this post, you need to login.