Global menu

Our global pages

Close

Landmark EU-US data privacy court case referred to CJEU by High Court

  • Ireland
  • General

03-10-2017

The Data Protection Commissioner v Facebook Ireland Limited And Maximillian Schrems

Background

For information in relation to the background to this case and a summary of the proceedings, please click on the following link:
https://www.eversheds-sutherland.com/global/en/what/publications/shownews.page?News=en/ireland/review-of-landmark-eu-us-data-privacy-case

Judgment

Today in the High Court Ms Justice Costello referred for preliminary ruling the validity of the transfer of personal data from EEA countries to non-EEA country (in this case the United States) by standard contractual clauses (“SCC’s”) to the Court of Justice of the European Union (the “CJEU”).

In her judgment, Ms. Justice Costello emphasised that it is not the function of the court to criticise the laws of a sovereign state (the United States), or to pronounce on the relevant merits of the laws of the United States and the European Union. Instead, Ms Justice Costello found, inter alia, that:

  1. The Data Protection Commissioner had raised well-founded concerns in relation to the use of SCC’s for the transfer of personal data to the United States;
  2. That a decision was required to determine whether the Privacy Shield Ombudsperson amounts to an effective remedy as required by European Union law;
  3. Whether the exceptional discretionary power conferred on the Data Protection Commissioner by Article 28 of the Directive to suspend or ban the transfer of data to a data importer in a third country on the basis of the legal regime in that third country is sufficient to secure the validity of the decision of the European Commission 2010/87/EEU (and two earlier decisions)(the “SCC Decisions”); and 
  4. That only a decision of the CJEU can ensure uniformity in the application of the Directive.

Below is an executive summary of the conclusions of the court:

  1. The court has jurisdiction to make a reference to the CJEU for a preliminary ruling;
  2. The court may do so if it finds that the Data Protection Commissioner has well-founded concerns as to the validity of the decisions and the court shares those concerns;
  3. European Union Law and the Charter of Fundamental Rights of the European Union (the “Charter”)  are engaged, notwithstanding the fact that the interferences with personal data, which are the subject of the case arise from surveillance for the purposes of national security;
  4. The court is not obliged to reject the application by reason of the adoption of the EU-US Privacy Shield Decision;
  5. Union law guarantees a high level of protection of EU citizens as regards the processing of their personal data within the EU. They are entitled to an equivalent high level of protection when their personal data are transferred outside the EEA;
  6. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Article 7 and 8 to respect for private and family life an protection of personal data concerning him or her;
  7. Rights and freedoms guaranteed by the Charter may be limited by law but the essence of the right or freedom must be respected. Limitations must be necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others;
  8. The Data Protection Commissioner has raised well-founded concerns that there is an absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter, for an EU citizen whose data are transferred to the US where they may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter;
  9. The introduction of the Privacy Shield Ombudsperson mechanism in the Privacy Shield decision does not eliminate those well-founded concerns. A decision of the CJEU is required to determine whether it amounts to a remedy satisfying the requirements of Article 47;
    10. A decision of the CJEU is required to determine whether the existence of the exceptional discretionary power conferred on the Data Protection Commissioner by Article 28 of the Directive to suspend or ban the transfer of data to a data importer in a third country on the basis of the legal regime in that third country is sufficient to secure the validity of the SCC Decisions to authorise the transfer of data by data exporters from the EEA to data importers outside the EEA on the basis of standard contractual clauses; and
    11. It is important that there be uniformity in the application of the Directive throughout the Union. Only a decision of CJEU can resolve the potential for inconsistent applications of the Directive which will arise if the validity of transfers of personal data outside the EEA pursuant to the SCC Decisions depends on the exercise by individual national supervisory authorities of their independent discretion in individual cases.

Submissions will be heard by Ms Justice Costello in relation to the judgment on Wednesday 11 October at 10:30am.

We will continue to publish further updates on the proceedings as the case progresses.

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back

Print Friendly and PDF
Register to receive regular updates via email.