Max Schrems’ battle to turn off Facebook’s trans-Atlantic data flows has crawled one step closer, as the Irish High Court today issued the EU's top court with a set of questions to rule on.
The privacy activist’s multi-year slog began when he brought a complaint against Facebook's mass data slurping, in light of Edward Snowden’s revelations about the extent of bulk data collection by the US government.
That 2013 complaint, to the Irish Data Protection Commissioner (Facebook has its European HQ in the nation), has since been bounced back and forth between the Irish High Court and the Court of Justice of the European Union.
The Irish court’s first referral of DPC v Facebook Ireland and Maximillian Schrems* up to the European court saw the CJEU overturn the Safe Harbor deal that allowed businesses - including Facebook - to move data from the EU to the US, despite the latter’s less stringent data protection laws.
Although a major victory, the case has continued, shifting focus to the standard contractural clauses (SCCs) that Facebook, and many other businesses, started relying on after Safe Harbor was proclaimed dead in the water.
The question now facing the Irish High Court is whether these SCCs ensure proper protection for EU citizens’ data, in line with those set out in EU laws and the Charter of Fundamental Rights.
In a judgment issued last October, the High Court held that US surveillance law allows “mass processing” of personal data, and that the DPC had “well founded concerns” as to whether there is an effective remedy for EU citizens under US law.
However, it said it would need to refer a number of questions up to the CJEU - and has today issued these questions (PDF), bringing the case one step closer to closure. Schrems said he was hopeful that the CJEU would be able to deal with the issue “once and forever”.
Broadly, the questions aim to ascertain how much protection EU citizens’ whose data is transferred using SCCs should be afforded, which US laws should be used to assess these protections, and whether and how it relates to Privacy Shield, the successor to Safe Harbor.
For instance, the court asks if the provision of an ombudsperson under the Privacy Shield deal provides a remedy to people whose data is transferred to the US under SCCs.
Elsewhere, the Irish court also asks how a data protection agency is required to respond if a company importing data is subject to surveillance laws that it believes conflicts with EU data protection laws, the Charter or the SCC agreement.
Would it be required to use enforcement powers to suspend data flows, the court asks, or is the exercise of these powers limited to exceptional cases only; or can a DPA use its discretion not to suspend data flows?
Commenting on the possible outcome of the case, Schrems said that, in light of the Irish High Court's ruling that US surveillance laws allow for “mass processing” of data: "The question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-US data transfers."
He added that, in the long-term, “the only reasonable solution is to cut back on mass surveillance laws”.
If such a solution isn’t available between the EU and US, he said, “Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation”.
However, Schrems also noted that he would like the CJEU to opt for a "targeted solution" that he argued the law would allow for.
This would only limit data transfer to companies that fall under a US surveillance law, he said. On the other hand, scrapping SCCs full-stop would have “very problematic consequences for many US and EU industry sectors that have nothing to do with surveillance”. ®
* Why the case name looks so weird: The case has taken an unusual route, with the DPC asking the commercial division of Irish High Court to refer the question up to the CJEU - and naming Facebook Ireland and Schrems as defendants in the proceedings.