Wednesday, June 18, 2014

Irish High Court refers Schrems Facebook privacy case to ECJ

The Irish High Court has this morning referred Max Schrems Facebook privacy case to the European Court of Justice. Judge Hogan (at p33) refers the following specific questions -
Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder absolutely [sic] bound by the Community finding to the contrary contained in the Commission Decision of 26 July 2000 (2000/520/EC) having regard to Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union (2000/C-364/01), the provisions of Article 25(6) of Directive 95/46/EC notwithstanding? Or, alternatively, may the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?
Judge Hogan's summary of overall conclusions runs from paragraphs 74 to 84.
"74... Mr Schrems' complaints are not "frivolous or vexatious"...
 75... Mr Schrems enjoys locus standi to bring this complaint and to bring these proceedings. It is irrelevant that Mr Schrems cannot show his own personal data was accessed in this fashion by the NSA, since what matters is the essential inviolability of the personal data itself. The essence of that right would be compromised if the data subject had reason to believe that it could be routinely accessed by security authorities on a mass and undifferentiated basis.
76... the evidence suggests that personal data of data subjects is routinely accessed on a mass and undifferentiated basis by the US security authorities.
77... as far as Irish law is concerned, s. 11(1)(a) of the 1988 Act forbids the transfer of personal data to a third country unless it is clear that that jurisdiction sufficiently respects and protects the privacy and fundamental freedoms of the data subjects. In this particular context of national law, the standards in question are contained in the Constitution.
78... the chief constitutional protections are those relating to personal privacy and the inviolability of the dwelling. The general protection for privacy, person and security which is embraced by the "inviolability"  of the dwelling in Article 40.5 of the Constitution would be entirely compromised by the mass and undifferentiated surveillance by State authorities of conversations and communications which take place within the home. For such interception of communications to be constitutionally valid, it would, accordingly, be necessary to demonstrate that this interception and surveillance of individuals or groups was objectively justified in the interests of suppression of crime and national security and, further, that any such interception was attended by appropriate and verifiable safeguards."
Just an aside on that last sentence in that paragraph - it could be interpreted as reading that surveillance would be justified "in the interests of suppression of ... national security". Let's just assume that's not what the good judge was attempting to convey.
"79... if the matter were to be measured solely by Irish law and Irish constitutional standards, then a serious issue would arise which the Commissioner would then have been required to investigate as to whether US law and practice in relation to data privacy, interception and surveillance matched those data standards."
(The "Commissioner" referred to is the Irish Data Protection Commissioner).

In paragraph 80 Judge Hogan explains, however, that Irish standards are effectively bypassed by the data protection directive and the European Commission's Safe Harbour agreement with the US; and the EC 2000/520/EC decision essentially declaring the US privacy-safe territory for EU personal data.
"81... it follows, therefore, that if [my emphasis] the Commissioner cannot look beyond the Commissions Safe Harbour decision of July 2000, then it is clear that the present application for judicial review must fail... because the Commission has already decided that the US provides an adequate level of data protection...
82... in holding that the complaint was unsustainable in law, the... Commissioner has ... demonstrated scrupulous steadfastness to the letter of the 1995 Directive and the 2000 Decision.
83... the applicant's objection is, in reality, to the terms of the Safe Harbour Regime itself rather than to the manner in which the Commissioner has applied the Safe Harbour Regime...
84... the critical issue which arises is whether the proper interpretation of the 1995 Directive and the 200 Commission decision should be re-evaluated in light of the subsequent entry into force of Article 8 of the Charter and whether, as a consequence, the Commissioner can look beyond or otherwise disregard this Community finding. It is for these reasons accordingly that I have decided to refer this question (and other linked questions) to the Court of Justice..."
My brief take -

The Irish High Court's decision amounts to a critique of mass and undifferentiated surveillance by state authorities, particularly the US. However, the much maligned Irish Data Protection Commissioner, Billy Hawkes, gets a pat on the back in rejecting Mr Schrems complaints, for "scrupulous steadfastness to the letter" of the data protection directive of 1995 and the EC Safe Harbour decision on the US in 2000. It appears, however, to constitute significant progress for Mr Schrems Europe v Facebook campaign and a small step in the right direction (nearly said "directive" there) for privacy in digital communications.

Note: Post above amended from earlier following access to full decision. 

Update: One other thought - Judge Hogan seems to think the Commissioner is boxed in by the data protection directive and the 2000 European Commission decision on Safe Harbour; but from my limited dealings with the Irish Data Protection Commissioner's office they seem to be more boxed in by a lack of resources and by their agreement with Facebook.

No comments: