While the High Court has not yet provided Schrems (Europe v Facebook) with a ruling on his complaint against the Data Protection Commissioner for refusing to investigate Facebook, the High Court has referred an essential question of privacy law to the Court of Justice of the European Union. In Wednesday’s judgment, Mr Justice Gerard Hogan cast doubt on the legality of the current ‘Safe Harbour’ rules that govern the transfer of information between the EU and US.

As it would undermine the purpose of EU data protection law if companies could simply export personal data to other jurisdictions with lax protection, there is a general prohibition preventing companies from sending personal data to countries outside the EU. Due to the importance of information flow for the economy, however, companies are permitted to send data to countries outside the EU if there is a guarantee the data will receive adequate protection. The Safe Harbour regime was created to facilitate the compliance of US companies with EU law.

While a European Commission decision issued in 2000 recognises Safe Harbour as providing adequate protection of personal data, the Snowden revelations raise serious questions about the system’s effectiveness.

The Lisbon Treaty made the EU Charter of Fundamental Rights legally binding, explicitly recognising both the right to respect for private life and the right to protection of personal data.

On Wednesday, Mr Justice Hogan questioned whether the April decision of the CJEU in Digital Rights Ireland v Minister for Communications has altered the legal position. In the Digital Rights Ireland decision, the CJEU found the Data Retention Directive to be invalid as it does not provide sufficient safeguards for protection of personal data as required under the EU charter.

In what could be interpreted as a veiled reference to the Snowden revelations, the CJEU stated that the Data Retention Directive did not require that the data be retained within the EU. This fact, it said, meant sufficient control by an independent authority, as explicitly required by article 8(3) of the charter, could not be fully ensured.

Mr Justice Hogan pointed out that, in light of these standards, “it is not immediately apparent how the present operation of the Safe Harbour regime can in practice satisfy the requirements of article 8(1) and article 8(3) of the charter”.

He explicitly recognised the abuses carried out by the US security authorities, but also acknowledged that its Foreign Intelligence Surveillance Court provides judicial oversight. The language used in the Digital Rights Ireland decision seems relevant when considering the judge’s assertion that considerable legal difficulties are posed by “the very fact that this oversight is not carried out on European soil”.

Recognising the importance of the issues raised, Mr Justice Hogan has referred a question to the CJEU, asking whether an office holder enforcing data protection legislation (such as a data protection commissioner) is bound by the commission’s decision that the Safe Harbour regime is adequate, or whether the office holder may conduct their own investigation of the matter taking into account the developments that have occurred since the commission decision in 2000.

In light of recent judgments fromthe CJEU (such as the Digital Rights Ireland and Google Spain ‘right to be forgotten’ decisions), this appears to be a crucial moment for data protection in Europe. Privacy advocates around the globe will eagerly await the CJEU ruling on the referred question.

- Maria Helen Murphy is Lecturer in Law at NUI Maynooth