The Court of Justice of the European Union, the EU’s highest court, has been asked to weigh in on the issue of transferring Europeans’ personal data to the U.S., where it can be subject to surveillance by the NSA.
Specifically, the CJEU will need to decide whether the Irish data protection commissioner was right to decline an investigation into Facebook’s transfer of Europeans’ data to its U.S. data centers. The commissioner said these transfers were legal under the EU-U.S. Safe Harbor agreement, established back in 2000, so he didn’t have to investigate further.
The case had been brought by the Austrian law student Max Schrems (pictured above), leader of the “Europe v Facebook” group, who had previously used the Irish data protection office to force Facebook to give up more user data when its users want it. The commissioner characterized Schrems’s most recent challenge as “frivolous and vexatious”, and exercised his power to kill the case there and then. Schrems applied for a judicial review (with legal costs paid for through a crowdfunding campaign), which is how we ended up with Wednesday’s ruling (PDF) from Mr Justice Hogan.
By the way, if you’re asking “Why is an Austrian suing a U.S. company in Ireland?”, the answer is the generous tax breaks and light-touch regulation that Ireland has used to make itself the international base for many tech multinationals – Apple, Facebook, Google and many others headquarter their international operations there.
Is it OK to ignore 14 years of history?
Hogan disagreed that Schrems was a vexatious complainer, saying that in the wake of Edward Snowden’s NSA revelations his concern was justified. He also said that, although Schrems clearly had no definitive evidence that the principles of the Safe Harbor agreement were being violated, he was “nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the U.S. security authorities.”
The Safe Harbor agreement is a mechanism that allows the transfer of EU citizens’ personal data to U.S. companies that self-certify as being compliant with EU-grade data protection. It was agreed to back in 2000 and came into force before two key subsequent events, namely 9/11 and the passage into law of Article 8 of the EU Charter of Fundamental Rights, which sets out key definitions for data protection.
Many EU parliamentarians and data protection officials want to see Safe Harbor suspended in the wake of the NSA scandal, but the agreement’s guiding principle – that the U.S. has adequate-enough data protection to protect the data of EU citizens – does technically remain the last word on that matter, legally speaking.
Therefore, Hogan said, the Irish data protection commissioner was right to defer to the 2000 agreement. However, the judge was far less convinced that the commissioner could just point to that document as a reason to drop the entire matter.
So here’s the question that’s now going up to the CJEU: Is the watchdog “absolutely bound” by the European Commission’s view 14 years ago that the U.S. adequately protects personal data, or “alternatively, may the office holder conduct his or her own investigation on the matter in the light of factual developments in the meantime since that Commission Decision was first published?”
Back to bite them
Schrems, of course is delighted. In a statement, he took aim at the “frivolous complaint” excuse used by the Irish data protection commissioner:
“We relied on the same legal arguments as the European Commission, the European Parliament, the European, German and Luxemburg Data Protection Authorities and every expert I know of in the field of privacy law. The court has to decide if all of Europe is drowned in an ocean of frivolity, or if the Irish DPC did not apply the law correctly.”
He also pointed out that the CJEU decision will affect all U.S. companies with operations in Europe, and expressed some sympathy with those companies’ awkward position – EU law says they must protect their customers’ data, but the NSA says they can’t.
“At first sight one could feel bad for these companies, but most of them have chosen to sit on these two chairs. They settled in Ireland to exploit differences in the tax code and pay almost no taxes.”
To be clear, the CJEU isn’t being asked to rule on the legality of PRISM, nor on the tech firms’ actions. However, these elements are fundamental to the case and will get a thorough airing through it. Also, the CJEU recently ruled that the E.U.’s own metadata retention directive was unlawful — a fact referred to in Hogan’s ruling as suggesting Safe Harbor may be incompatible with Article 8 of the EU Charter. This should be fun.