On April 12, the High Court of Ireland referred 11 questions to the Court of Justice of the European Union regarding the legality of data transfers between Facebook’s Irish and U.S. corporate entities. This request for a preliminary ruling was made pursuant to Article 267 of the Treaty on the Functioning of the European Union, which states that the European Court of Justice has jurisdiction to provide preliminary rulings concerning the validity and interpretation of acts made by EU bodies. In this case, the Irish data protection commissioner is challenging a series of decisions made by the European Commission allowing data transfer between EU and U.S. corporate entities. (The full text of the preliminary ruling request.)
This most recent decision by the High Court of Ireland builds on a voluminous litigation record between Maximilian Schrems, an EU privacy activist, the Irish data protection commissioner, and Facebook regarding the transfer of data between the EU and U.S. in light of the Snowden revelations. In Schrems v. Data Protection Commissioner, the European court found, after a similar request for preliminary ruling from the Irish High Court, that a 15-year-old EU-U.S. data transfer framework, also called “Safe Harbor,” was invalid. Specifically, the European court found Safe Harbor wanting because the European Commission, in validating Safe Harbor, did not state whether the U.S. in fact ensured adequate levels of protection through U.S. domestic law or international commitments. More specifically, the court found that legislation permitting public authorities to have generalized access to electronic communications was a facial violation of the Charter of Fundamental Freedoms of the European Union and that failure to provide judicially enforced rights of access to personal data does not respect the essence of the right to effective judicial protection under that document.
After Safe Harbor collapsed, the European Commission and U.S. Department of Commerce negotiated a replacement framework: the EU-U.S. Privacy Shield. This new framework allows the European Commission to certify, on a periodic basis, that the U.S. is adequately protecting European personal data under EU law. The commission made its first adequacy determination within this framework in October 2017. In this determination, the commission recommended that Congress incorporate protections for non-U.S. persons (currently provided by Presidential Policy Directive 28 on signals intelligence) into FISA. When FISA was reauthorized January 2018, protections for non-U.S. persons from PPD-28 were not included in the legislation.
Schrems argues in active litigation that his personal data, transferred to the U.S., is “‘made available’ to U.S. government authorities under various known and unknown legal provisions and spy programmes” without judicial remedy to protect his personal data rights. These personal data rights, he contends, are rooted in Articles 7 and 8 of the EU Charter of Fundamental Rights. Article 7 states that “Everyone has the right to respect for his or her private and family life, home and communications.” Article 8 guarantees more specifically “the right to the protection of personal data.” It also mandates that personal data “be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.” Justice Caroline Costello of the Irish High Court determined that there is “a well founded objection” that U.S. law does not provide an effective remedy for EU citizens to vindicate these rights as required by Article 47 of the EU Charter. As such, the high court is questioning the validity of European Commission decisions certifying that “standard contractual clauses” (such as those currently relied upon in Privacy Shield) offer sufficient privacy safeguards on the transfer of EU citizen data to the US. While it is difficult to find statistics on the prevalence of standard contractual clauses, anecdotal evidence suggests that their ease of implementation makes them quite prevalent as a framework for transferring data out of the EU.
Questions Referred to the Court of Justice of the European Union
The Irish High Court requested that the European Court of Justice answer the following eleven questions (paraphrased here) as a matter of EU law before proceeding with the case:
1. When a private company transfers personal data to a third country for commercial purposes pursuant to a framework like Privacy Shield, but where that data may be processed by the third country government for national security or law enforcement purposes, does EU law apply to the data transfer? The scope of Article 4(2) of the Lisbon Treaty, which states that the EU “shall respect ... essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security,” is central to this question. Facebook argues that EU law does not apply to this case because of this national security exception “regardless of whether the processing takes place in the EU or in third countries such as the United States.”
2. What is the relevant legal framework for determining whether there is a violation of the rights of an individual from a given data transfer – provisions of EU law or the national laws of EU member States? Facebook argues that there is no direct comparison in EU law for data processing by third country governments for national security purposes. Within the EU, due to Article 4(2), this is a matter covered exclusively by the law of EU member States. Therefore, Facebook argues that the only reasonable “comparator” to U.S. law and practice is the law and practice of EU member States.
3. Should adequacy determinations be based only on domestic law, international commitments, as well as practice implementing those rules (including professional rules and security measures)? Or alternatively, should adequacy determations be more expansive, also considering administrative, regulatory, and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms, and other non-judicial remedies? The Irish data protection commissioner and Schrems argue that the court should look only to a third country’s binding domestic law or international commitments, and therefore (implicitly) not statements of executive policy like PPD-28. Facebook and the U.S. government argued that the American privacy regime should be assessed more holistically, including oversight mechanisms within the executive branch, accountability to congressional committees, and broader consideration of institutions like the press.
4. Do data transfers to the United States done in accordance with standard contractual clauses violate individual rights as defined in Articles 7 and/or 8 of the EU Charter? The court presented this question in the context of open-source accountings of NSA surveillance programs, including PRISM and other surveillance authorized under FISA Section 702. It will be interesting to see whether the recent Cloud Act factors into the court’s analysis. As Andrew Woods and Peter Swire described previously on Lawfare, that law would pave the way for executive agreements between the U.S. and other countries to request data stored outside their jurisdiction for law enforcement purposes.
5. Does the level of protection afforded by the United States respect an individual’s right to judicial remedy pursuant to Article 47 of the EU Charter? If it does, are limitations on the right to judicial remedy reasonably proportionate to what is necessary in a democratic society for national security? The data protection commissioner argued that U.S. law does not respect Article 47 rights to effective remedy before an independent and impartial tribunal. More specifically, the commissioner argued that it would be extremely difficult for an EU citizen without a substantial connection with the United States to establish standing before an American court. The Irish court held that while many possible causes of action potentially exist, few EU citizens would actually be able to take advantage of them. Facebook, on the other hand, argued that the European court’s previous decisions established that only when there was no possibility of remedy could it be said that Article 47 was violated. Furthermore, Facebook argued that the judicial remedy should be assessed in light of national security imperatives.
Questions 6 through 8 address the argument that the data protection authority’s ability to prohibit or suspend data flows is an adequate remedy for possible infringement of EU citizen data privacy protection rights.
6. What is the level of protection that must be afforded personal data transferred to a third country pursuant to standard contractual clauses? What should be taken into account when making this assessment?
7. Does the fact that standard contractual clauses apply only as between data exporter and importer, and do not bind national authorities which may request personal data for national security or law enforcement purposes, preclude the clauses from providing an adequate safeguard under EU data privacy law?
8. How much discretion does a data protection authority have to take action when a third country data importer is subject to surveillance laws that, in the authority’s view, conflict with standard contractual clauses or other provisions of EU law?
9. Do the provisions of Privacy Shield, and European Commission determinations based on them, bind data protection authorities and the courts of member States? If not, what if any relevance does the Privacy Shield framework have?
10. Does Privacy Shield’s provision for an ombudsperson, in conjunction with the existing US data privacy regime, ensure an adequate remedy under Article 47 for EU citizens whose data is transferred to the United States? Under Privacy Shield, the ombudsperson is appointed by the U.S. Secretary of State and investigates complaints received from EU citizens relating to their personal data. This investigation must confirm that the complaint is being properly investigated and that the relevant agency is complying with relevant provisions of U.S. law, regulation, and policy. The ombudsperson cannot confirm or deny whether an individual is the target of surveillance nor confirm the specific remedy, if any, that is applied. The DPC argues that determinations by the Ombudsperson are insufficient as a matter of EU law since the office is not established by law, not permanent, does not provide reasoning or compensation, does not exhibit any of the indicia of a tribunal, and is not subject to judicial review.
11. Does the European Commission’s decision regarding standard contractual clauses violate Articles 7, 8, or 47 of the EU Charter?
It is difficult to know how much time the Court of Justice will require to adjudicate these 11 questions, though there are many steps before it will issue a decision. First, the parties, member-states, the European Commission, and the European Parliament and Council will have an opportunity to submit written observations. The court may also ask the Irish High Court for further clarification. Thereafter, a judge on the European court will summarize the case, and the court will decide (1) how many judges to assign to the case and (2) whether an oral hearing is needed. During the oral hearing, judges and the advocate-general may question lawyers from both sides. The court employs 11 advocates-general—it is unclear which would be selected to consult on the case. Like European judges, advocates-general are appointed to a renewable six-year term and may be asked to provide a legal opinion—but they do not participate in decisions. After the oral hearing, the European court will decide whether to request an opinion from the advocate-general. Thereafter, the court will issue a binding decision as a matter of EU law.