Facebook has been given the go ahead to appeal to Ireland’s Supreme Court against an earlier High Court decision to refer key questions relating to the validity of EU-US data flows to Europe’s top court, the Irish Times reports.
The eventual outcome of what is already years of legal to-ing and fro-ing — in a case that’s colloquially referred to as ‘Schrems II’ — could have major implications for the thousands of companies that rely on transferring EU citizens’ personal data to the US for processing.
The case was originally lodged with the Irish Data Protection Commission by European privacy campaigner, Max Schrems — as a complaint over the legality of Facebook’s use of Standard Contractual Clauses (SCCs) for transferring EU citizens’ data. Although it was Ireland’s DPC that took the decision to go to court — seeking a definitive ruling on the legality of the data transfer mechanism.
The High Court then added its concerns about another mechanism: The EU-US Privacy Shield.
Facebook is disputing the court’s earlier findings, including of “mass indiscriminate processing” of data by U.S. government agencies — under the PRISM and Upstream data harvesting programs (details of which were made public in documents released in 2013, by NSA whistleblower Edward Snowden).
In May Facebook was denied a stay against the CJEU referral by the High Court. So the decision by the Supreme Court to hear its appeal sidesteps that earlier block — albeit, the referral to the CJEU stands, and has neither been blocked nor revoked by today’s decision.
However, if the Supreme Court hears Facebook’s appeal before the end of the year — as slated — that’s likely to be before the CJEU delivers its verdict on the referred questions. So there’s at least a possibility that the outcome of the Irish appeal could feed into the CJEU judgment, i.e. when Europe’s supreme court conducts its own assessment of the validity of EU-US data transfer mechanisms.
Equally, there’s no guarantee that Facebook’s arguments will persuade Ireland’s Supreme Court judges there was anything wrong with the High Court’s findings of fact in the first place.
The company’s decision to ask the Supreme Court to hear its appeal against the High Court’s CJEU referral lacks precedent in Ireland — so the company is challenging local case law.
The Irish Times reports that the judges rejected arguments made by the DPC and Schrems against the appeal, deeming it “at least arguable” that Facebook could persuade the court that at least some of the facts under challenge should be reversed.
According to the newspaper, the court granted Facebook leave to appeal on all eleven grounds which its lawyers had presented.
It was also eleven questions that the High Court referred to the CJEU in April — seeking guidance on a range of fine-grained points around whether rights afforded to EU citizens are being adequately protected by the current data transfer mechanisms and regimes, including Privacy Shield and SCCs; how to determine which rules and regulations take precedence across borders and/or where legal priorities clash and overlap; and whether, in cases of rights violations caused by surveillance law, data protection authorities have to suspend data flows or whether they can use discretion to not do so.
The case is based on an even earlier (2013) complaint by Schrems, related to US surveillance law, when he challenged Facebook (and other tech giants) over how user data they held was accessed by US intelligence agencies under US government mass surveillance programs — arguing such bulk access contravenes Europeans’ fundamental privacy rights.
The result, in 2015, was a landmark CJEU judgement which struck down a long-standing EU-US data transfer mechanism (called Safe Harbor).
The European Commission has since negotiated an updated replacement mechanism (aka: The EU-US Privacy Shield) — which is now used by more than 3,400 companies to simplify the process of authorizing transfers of EU citizens’ personal data to the US.
However this replacement is under increasing attack at home, with European MEPs angry at decisions taken by the current US administration which they see as counter to the spirit of the agreement and/or risking undermining actual protections agreed by EU and US negotiators during the Obama presidency.
US lawmakers’ continued backing for warrantless surveillance is one example — when the hope in Europe had rather been for reform of Section 702 of FISA, not the six-year renewal that Trump signed off on.
The Trump administration has also failed to fully enact certain aspects of the Privacy Shield arrangement (two years on from launch there’s still no permanent appointment to an ombudsperson role intended to handle EU citizens’ complaints, for example).
And in June the EU Parliament’s LIBE committee called for Privacy Shield to be suspended by September 1 unless the US comes into full compliance. Earlier this month the EU parliament also adopted a resolution calling for the suspension of the EU-US Privacy Shield.
The annual review of the Privacy Shield mechanism is due to take place in October — so Commission really needs to eke out some substantial concessions from its US counterparts or face further political heat in its own backyard.
Aside from the CJEU, the Commission is the only EU institution with the power to suspend Privacy Shield, although the executive body has shown no appetite for that. Rather its priorities align with ensuring ‘business as usual’ — at least where all important data flows are concerned — vs taking a principled stance in defense of EU citizens’ fundamental rights. For that, Europeans typically have to look to the courts. Or, sometimes, the parliament.
The Irish Times reports that Facebook’s grounds for appeal to the Supreme Court in the Schrems II case include the necessity of the High Court making a reference in light of Privacy Shield — with the company arguing the court is bound by the finding on US law contained within the Privacy Shield decision. (A decision that was, however, made by the Commission, not by an EU court.)
It also argues that the High Court should have taken into account the effect of the introduction of the EU’s General Data Protection Regulation on the legal context which will operate when the CJEU comes to consider the reference — with the referral taking place prior to GDPR coming into force on May 25.
The company is also claiming the court made several errors in its assessment of US law — including in its finding of “mass indiscriminate” processing; and that US laws and practices did not provide EU citizens with an effective remedy, as required under the EU’s Charter of Fundamental Rights, for breach of data privacy rights.
We’ve reached out to Facebook and to Schrems for comment on the appeal.