Irish High Court Judge Caroline Costello gave judgment today in the “unusual case” of Data Protection Commission v Facebook & Schrems. The issue before her was whether she should ask the Court of Justice of the European Union to consider the validity of three decisions of the EU Commission: 2001/497/EC of 15 June 2001, 2004/915/EC of 27 December 2004, and 2010/87/EU of 5 February 2010. These decisions enable transfers of EU personal data to controllers and processors outside the EU on the basis of standard contractual clauses. Costello concurred with the Data Protection Commissioner that, “there are well founded grounds for believing that the SCC decisions are invalid and furthermore that it is extremely important that there be uniformity in the application of the Directive throughout the Union on this vitally important issue.” Costello held that there were two options open to her:
- “Make the reference sought by the DPC to the CJEU”; or,
- “[R]efuse to make the reference and dismiss the proceedings as no other relief is sought. In that event the court in effect will be endorsing the validity of the decisions and require the DPC to conclude her investigation into Mr. Schrems’ complaint on the basis that the SCC decisions are valid.”
Costello picked the first option and decided to refer questions to the CJEU. However, those questions have not been referred as of yet. Instead, Costello has asked that the various parties before her to make submissions on the questions to be asked of the CJEU (something they had all asked for). Costello did hint at what those questions might be:
- Whether Irish High Court or the DPC or the court could be required to conduct a comprehensive adequacy analysis of U.S. laws and practices in relation to electronic surveillance on national security grounds;
- Whether the Irish High Court or the DPC needed to analyse the remedial regime provided by U.S. law (or that of another third country) to see whether this provided an adequate right to an effective remedy before an independent tribunal as required by the EU Charter of Fundamental Rights; and
- Whether it is arguable that limitations on the exercise of the right to an effective remedy before an independent tribunal for EU citizens whose data privacy rights are infringed by the intelligence agencies are not proportionate or necessary or needed to protect the rights and freedoms of others?
Costello then noted that neither “the introduction of the Privacy Shield Ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well-founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States.” She therefore proposed to refer the SCC decisions to the CJEU for a preliminary ruling.
What will happen next?
The validity of the SCC Decisions is not under immediate threat. The DPC has stated this “decision does not invalidate the SCCs (nor the Privacy Shield); neither does it prohibit their continued use.” What will happen next is that Costello will take submissions from the parties before framing the questions to be asked of the CJEU on the basis of those submissions. These questions will then be referred to the CJEU, unless someone challenges the decision of Costello before the Irish Courts. Submissions may then be made to the CJEU, itself, and an opinion of that Court’s Advocate General may be given before the CJEU will answer questions it has been asked.
This process will take time. It may well stretch beyond May 25, 2018, at which point the General Data Protection Regulation (GDPR) will apply. Article 3 of the GDPR grants EU data protection laws a global jurisdiction. It may be that the conferral of a global jurisdiction upon EU data protection laws will address some of the concerns raised in Data Protection Commission v Facebook & Schrems. However, whether the CJEU considers this point may depend upon the questions that are asked of it and the submissions that are made to it.
Photo credit: Dublin (46) via photopin (license)
Irish DPC reacts
The Irish Data Protection Commissioner published this statement following the High Court’s decision:
“The Commissioner welcomes the High Court’s judgment and its decision to refer a number of questions to the CJEU, as requested by the Commissioner.
“The transfer of personal data to the US under the standard contractual clauses mechanism (“SCCs”) raises important issues for the protection of EU citizens’ data protection rights. Now that the High Court has confirmed it shares the Commissioner’s concerns about the protection of those rights in the context of EU/U.S. data transfers, the Commissioner hopes these issues will be addressed by the CJEU as soon as possible to provide certainty for data subjects and controllers alike. In that context, the Commissioner acknowledges that many businesses rely on SCCs to transfer data from the EU to the U.S. It is important to note that today’s decision does not invalidate the SCCs (nor the Privacy Shield); neither does it prohibit their continued use for the purpose of data transfers to the US or elsewhere. Rather, it invites the CJEU to consider whether, under EU law, SCCs in their present form can and should be retained as a basis for the transfer of personal data from the EU to the U.S.”