Irish High Court asks the European Court to rule on Facebook’s trans-atlantic data transfers

Image © Pixaby/Geralt

The Irish High Court has asked the Court of Justice of the EU (CJEU) for a preliminary ruling on the legality of the transfer of personal data from the European Economic Area to the United States for processing.   The reference to Luxembourg comes despite previous decisions from the European Commission approving such transatlantic data transfers.

The referral came about at the conclusion of a case bought by Austrian lawyer and privacy campaigner, Max Schrems, who challenged the legality of the transfer of his personal data by Facebook in Ireland to Facebook Inc. in the USA for processing.  This transfer of data was governed by standard contractual clauses, which are used to provide appropriate legal safeguards for the transfer of personal data to countries outside of the EEA.

Such clauses, allow Facebook Inc. to enter into a legally binding contract with its Irish entity and by doing so, legally undertaking  to abide by the EU’s stringent digital privacy requirements.

This contractual mechanism has been approved by the European Commission on three separate occasions since 2001 as being in accordance with the Data Protection Directive 95/46/EC and is used by thousands of companies across the digital economy as an efficient and legal way to transfer data globally whilst abiding by the EU’s data protection legislation.

However, Ireland’s Data Protection Commissioner (data regulator to nine of the world’s top 10 social media companies that, like Facebook, are based in Ireland) supported Mr Schrems’ case arguing that standard contractual clauses do not provide adequate legal protection to European citizen’s data in countries such as the US, whose data protection laws not considered to be adequate.

In her 128 page written judgement, High Court Judge Ms Caroline Costello stated that EU law guarantees a “high level of protection to EU citizens…. [who] are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area”, adding that,

“[if] there are inadequacies in the laws of the US within the meaning of [EU law], the standard clauses cannot and do not remedy or compensate for these inadequacies.” [151] 

In a video statement outside the High Court in Dublin (below) Mr Schrems said he hoped the CJEU would force the EU and the United States to “finally” deal with the gap between what he said were stricter privacy rules enjoyed by Facebook users in Europe, compared to those that apply to its servers in California.

“I hope we will get a decision that ends this ping-pong and stops kicking the can down the road,” he said, adding that he did not expect the ECJ to rule against the use of standard contractual clauses.

If standard contractual clauses are, ultimately, judged to be unlawful by the CJEU then it could have potentially far reaching consequences as billions of transactions are transferred across the Atlantic on a daily basis, from credit card transactions (both Visa and MasterCard are US businesses), to hotel bookings, other e-commerce transactions and employee’s sensitive personal information.

Whilst a CJEU decision could take as long as two years before it is delivered, it is likely that ‘work arounds’ will be found to strengthen the safeguards already contained within standard contractual clauses to avoid a repeat of the cliff edge scenario after EU-US Safe Harbour data sharing accords were judged to be illegal by the ECJ, again following a legal challenge initiated by Mr Schrems.

The full judgment of the Irish High Court can be accessed here.