Last June, Austrian law student Max Schrems wrote to the Data Protection Commissioner asking him to investigate the transfer of EU citizens' data by Dublin-based Facebook to the US security authorities.
Schrems argued that the disclosures by whistleblower Edward Snowden, which showed the mass collection of personal data by the US intelligence services, showed there was no meaningful protection of that information in US law or practice.
The commissioner, Billy Hawkes, agreed to investigate 22 other complaints by Schrems, but not this one. His stance was rooted in his understanding of Irish and EU law on the topic.
Transfer ban
The Data Protection Act 1988 includes a general ban on transferring data outside of the State save where the foreign state ensures an adequate level of protection for the rights and freedoms of the individuals concerned.
But the legislation also allows for Irish law to be pre-empted by EU law where the European Commission has found data protection to be adequate in the third country – in this case, the United States. Given that the transfer of data from firms in the EU to the US was subject to the transatlantic Safe Harbour regime – enshrined in a European Commission decision of 2000 – and Facebook had signed up to Safe Harbour, Hawkes felt there was nothing left for him to investigate.
At issue in the High Court proceedings was whether the commissioner was right or wrong in his decision not to investigate the complaint.
Mr Justice Gerard Hogan was sympathetic to Hawkes's position. As the EU had in effect declared the US provided adequate protection for data handled by firms which operated the Safe Harbour programme, the commissioner felt bound by that. Hawkes had demonstrated "scrupulous steadfastness" to the letter of the 2000 decision and the EU's 1995 data protection directive.
‘Overtaken by events’
What the judge said next could have far-reaching implications, however. There was, he observed, “perhaps much to be said for the argument that the Safe Harbour regime has been overtaken by events”. The Snowden revelations had exposed gaping holes in US data protection practice, while the coming into force of article 8 of the EU Charter of Fundamental Rights, which sets down a specific right to protection of personal data, suggested a re-evaluation of the 2000 decision and the 1995 directive might be necessary.
The question posed by Mr Justice Hogan is whether, as a matter of European Union law, Hawkes is bound by the 2000 decision on the adequacy of US data protection practice, given what was subsequently enshrined in the Charter of Fundamental Rights, which came into force with the Lisbon Treaty in 2009. Or could the data commissioner simply disregard the 2000 decision?
In view of the "general novelty and practical importance" of these issues, the judge decided to adjourn the case and refer the key questions to the European Court of Justice in Luxembourg.
So Schrems hasn’t quite managed to have the Data Protection Commissioner overruled, but it’s clear a potentially much bigger victory is now in sight for him and fellow privacy activists.