Irish Supremes make shock decision to hear Facebook's appeal in Schrems II

Glimmer of hope for Zuck and co to keep pushing data across The Pond

The Irish Supreme Court has made the unprecedented decision to hear Facebook’s appeal in its long-running legal battle with privacy activist Max Schrems – and to do so with urgency.

The unanimous decision from the five judges considering the case will be a surprise to observers, as it appears to go against existing case law and comes after the case has already been referred up to Europe's top court.

In his 28-page judgment (PDF), Justice Frank Clarke acknowledged the complexity of the case, as well as the arguments and case law against granting an appeal – however, he said it should go ahead on both legal and factual grounds.

“I am satisfied that this court should proceed on the basis that it is at least arguable that Facebook might be in a position to persuade this court that some or all of the facts under challenge should be reversed,” he stated.

He emphasised that the facts of the case – which questions the validity of trans-Atlantic data transfer mechanisms – is of major national and international significance.

Moreover, given that the case has already been referred up to the Court of Justice of the European Union, Clarke said the court planned to hear the case by the end of the year.

Five years and counting...

The legal wrangling began back in 2013, when privacy activist and then-PhD student Max Schrems made a complaint about Facebook’s data slurping to the Irish Data Protection Commissioner.

Since then, the case has ricocheted between courts, with the Irish court’s first referral to the CJEU resulting in the collapse of the Safe Harbor deal governing trans-Atlantic data flows.

The case lumbered on, shifting focus to the standard contractual clauses (SCCs) that Facebook, and many other businesses, relied on when Safe Harbor was no longer an option.

In April, the Irish High Court referred 11 questions up to the CJEU. These asked how much protection EU citizens’ whose data is transferred using SCCs should be afforded, which US laws should be used to assess these protections, and whether and how it relates to Safe Harbor’s successor, Privacy Shield.


Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal


However, in what was widely seen as a bid to delay the case, Facebook set about appealing the referral. It first made a leave to stay, which the High Court denied in May, and then requested a leapfrog appeal to the Supreme Court.

High Court's findings have the potential to influence CJEU'

Among its 10 proposed grounds for appeal, Facebook questions the validity and necessity of the High Court’s reference to the CJEU and the content of the reference.

It also alleges errors in the High Court’s assessment of US law – including on its finding that there was mass indiscriminate processing of data, and surveillance, by US agencies.

These were used to based its conclusion that there were “well founded concerns” that required referral to the CJEU.

Facebook’s argument is that such findings of fact are central to any reference to the higher court, because they form the backdrop of that court’s assessment of the questions put to it.

In his judgment, Clarke said that there was a lack of clarity about the precise extent to which the findings of fact by the High Court would impact on the CJEU’s assessment of validity.

Despite this, he said Facebook had a "legitimate interest" in asking the Supreme Court to review the facts found by the High Court, as they “have the potential to influence the assessment by the CJEU of the validity question which has been referred to it”.

'Particularly unusual features'

Another crucial issue for the appeal was that existing case law, set in 1983*, says a decision to refer a question to the CJEU can’t be appealed, which both Schrems and the Data Protection Commissioner both used to argue against the appeal.

Facebook countered that its case was distinguishable from that – a view that Clarke’s judgment seemed to agree with, making repeat references the unusual nature of the proceedings.

For instance, the judge said that a “particularly unusual feature” of the case is that it appears that the CJEU will be asked to make a final decision on the validity of the measures in question.

Thus, the case would not then come back to the Irish courts, meaning there would be no possibility of subsequent appeal within the Irish legal system.

He said that there was a “stateable issue” as to the definition of the parameters set out in that case – in particular whether it applies to a case in which the trial court’s findings of fact could become “immune from review” as a result of the final decision being made by the CJEU.

However, Clarke did not indicate plans to stop the referral up to the European court – rather, he noted the significant limits on national appellate courts to interfere with national courts’ freedom to refer cases to the CJEU.

As such, he said it was crucial for any decision from his court to be delivered well in advance of the likely hearing of the reference before the CJEU.

This means he plans to hear the appeal as a matter of urgency, before the end of the year.

Facebook has to file its notice of intention to proceed within seven days and submit written submissions by 14 September.

Clarke also noted that, under Irish law, there are significant limits on the extent to which facts can be reexamined in the Irish appellate process. This means Facebook must make it clear what type of order it intends to urge his court to make.

Schrems and the Irish commissioner must reply by 5 October. ®

* Campus Oil Limited and others v Minister for Industry and Energy and others [1983] 1 I.R. 82.

Similar topics

Narrower topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022