Max Schrems, an Austrian post-graduate law student behind a data privacy campaign group called ‘Europe v Facebook’, brought a High Court challenge claiming Ireland’s Data Protection Commissioner Billy Hawkes wrongly interpreted and applied the law governing the mass transfer of personal data of Facebook users to the US National Security Agency (NSA).
Mr Hawkes found Mr Schrems’ complaint did not meet the threshold required to merit investigation.
Mr Schrems had asked Mr Justice Gerard Hogan to quash that decision and refer it back to Mr Hawkes for re-consideration.
He said the Commissioner’s decision was irrational and asked that a preliminary reference be made to the ECJ. Mr Hawkes, who found Facebook had acted within the terms of an EU-US data-sharing agreement in July 2000 called ‘Safe Harbour’, opposed the action. He found Facebook had no case to answer and was in compliance with relevant regulations.
The court heard Mr Hawkes rejected suggestions that he was not prepared to take on big companies, arguing that he was already investigating 22 other similar complaints from Mr Schrems, but this particular one did not warrant an investigation.
Yesterday, Mr Justice Hogan said he was referring the matter to the ECJ for re-evaluation given that “much has happened” since the Safe Harbour agreement. This included the enhanced threat to national and international security, disclosures regarding mass and undifferentiated surveillance of personal data by US security forces, and the advent of social media.
The main development, from a legal perspective, was the introduction, after July 2000, of Article 8 of the Charter of Fundamental Rights of the EU governing personal data, he said.
While Mr Schrems maintained Mr Hawkes had not adhered to the requirements of EU law by rejecting his (Schrems’) complaint, the opposite was the truth, the judge said. Mr Hawkes had demonstrated “scrupulous steadfastness” to the letter of a 1995 EU directive... which gave rise to the Safe Harbour agreement.
Mr Schrems’ objection was, in reality, to the terms of the Safe Harbour regime itself rather that to the manner in which Mr Hawkes had actually applied that regime, he said.
There was perhaps much to be said for the argument that Safe Harbour had been overtaken by events, including the revelations by former NSA computer systems administrator Edward Snowden, which may be thought to have exposed “gaping holes” in contemporary US data protection practice, the judge said.
The judge also noted the Snowden revelations demonstrated “a massive overreach” on the part of the security authorities “with an almost studied indifference to the privacy interests of ordinary citizens”.
The judge said Mr Schrems contended the Snowden revelations about Prism showed there was no meaningful protection in US law or in practice regarding data transfer as far as surveillance was concerned and in particular there was no requirement by those services to obtain a court order for their activities.
In this specific complaint, Mr Schrems had not challenged the validity of either the Safe Harbour decision or of the original 1995 EU directive.
In those circumstances, Mr Hawkes is bound by the 2000 Safe Harbour decision and until the issue of re-evaluating that decision is dealt with, Mr Schrems’ application for judicial review and the complaint to Mr Hawkes must fail, he said.
Given the general novelty and practical importance of the issues raised, which have considerable practical implications for all 28 EU member states, it was appropriate this question should be determined by the ECJ. The case was adjourned until next month for papers of the referral to be prepared.