By Ann O'Loughlin
A High Court judge has set out 11 questions for determination by the Court of Justice of the EU concerning whether European Commission decisions approving EU-US data transfer channels are valid.
However, while Ms Justice Caroline Costello said she was anxious to send the matter on to the CJEU, she agreed to permit Facebook a short period to April 30 to consider whether to seek an appeal against her decision to make a reference in the first place.
The questions which the judge today approved for reference include one asking whether EU law applies to the transfer of data notwithstanding provisions of the Treaty of the EU (TEU) concerning national security and EC Directive 95/46/EC relating to public security, defence and State security.
The CJEU is also asked to decide, given findings by the Irish court concerning US law, whether personal data transferred from the EU to the US under the EC decision violates the rights of individuals under Articles 7 and 8 of the EU Charter.
A further question asks, if a third country data importer is subject to surveillance laws that a data protection authority (DAA) believes conflict with either Article 25 and 26 of the EC Data Protection Directive, clauses of the Annex to the EC decisions permitting the transfers and/or the EU Charter, then can a DAA use enforcement powers to suspend data flows or are such powers limited to "exceptional" cases or can a DAA use its discretion not to suspend data flows?
Ms Justice Costello gave her decision today on questions to be referred to the CJEU arising from her judgment last October on proceedings by the Data Protection Commissioner arising from a complaint by Austrian lawyer Max Schrems over the transfer of his personal Facebook data by Facebook Ireland to the US.
In her judgment, Ms Justice Costello concluded there should be a reference and later heard submissions as to the precise form of that reference.
After the judge issued the written reference today, Paul Gallagher SC, for Facebook, asked for time to consider that in the context of making a decision whether to appeal the October judgment directing a reference.
Michael Collins SC, for the DPC, said there was an issue whether there was any entitlement to appeal a High Court decision to make a reference but he was not objecting to a short time.
The judge said she would allow time to consider her decision and adjourned the matter to April 30.
The judge also provided copies to the sides of her October judgment as a number of corrections of factual errors had been made to that.
Several of the issues for reference concern Articles 25 and 26 of the Data Protection Directive. Article 25 requires EU member states to ensure, where transfers of data of EU citizens are transferred to third countries, the latter provides an adequate level of protection. Article 26 allows for a derogation from Article 25 and permits, once adequate safeguards are provided, transfers to third countries which do not provide adequate protection.
Commissioner Helen Dixon had sought the reference arising from a complaint by Mr Schrems that transfer of his personal Facebook data to the US was done in breach of his data privacy rights as an EU citizen.
The Commissioner brought the proceedings against Facebook Ireland, because its European headquarters are here, and Mr Schrems, who both opposed a reference for different reasons.
The US government, EPIC, the Business Software Alliance and Digital Europe were joined to the case as amici curiae, assistants to the court on legal issues.
Facebook argued US law and various measures, including the 2016 Privacy Shield data transfer agreement between the European Commission and US, afford adequate protection for data privacy rights of EU citizens.
Mr Schrems disputed that and opposed a reference on grounds the Commissioner had adequate information to decide his complaint.
In her October judgment, Ms Justice Costello agreed to refer after concurring with the Commissioner there are “well-founded" grounds for believing the European Commission decisions approving the data transfer channels known as Standard Contractual Clauses (SCCs) are invalid.
Her judgment was primarily concerned with the EC Data Protection Directive and its focus on whether third country protections for EU citizens data privacy rights are "adequate".
She held the Commissioner had raised "well-founded" concerns about the absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights of the EU for an EU citizen whose data is transferred to the US "where it may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter".