UPDATE ON LITIGATION INVOLVING FACEBOOK AND MAXIMILIAN SCHREMS
Further Explanatory Memo (31st January 2017)
On 28 September 2016 the Data Protection Commissioner (DPC) published an explanatory memo (beneath) on the proceedings currently pending before the High Court. The title of those proceedings is “Data Protection Commissioner v. Facebook Ireland Limited & Maxmillian Schrems”. The Court Record (Reference) Number is 2016/4809P.
In this case, the DPC is asking the High Court to make a reference to the Court of Justice of the European Union (CJEU) as to the validity of the “standard contractual clauses” (SCCs) mechanism under which, at present, personal data can be transferred from the EU to the US. Because the SCCs mechanism is established under a decision of the European Commission, only the CJEU can make a ruling to the effect that the mechanism is invalid. Such a ruling cannot be made by the DPC or by any national court.
In the first Schrems case, the CJEU delivered a judgment in which it found that the “Safe Harbour” arrangements for EU/US data transfers were invalid.The DPC is now asking the High Court to make a reference to the CJEU in relation to the validity of the SCCs mechanism. This step has been taken because the DPC has concerns as to the validity of the SCCs when considered in the light of a number of factors, to include Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, and the CJEU’s judgment in the first Schrems case. The DPC considers that the concerns she holds, and the concerns expressed by Mr Schrems in a complaint filed with the DPC’s office, are well-founded. The High Court will now decide if it agrees with the DPC’s assessment.
The purpose of this note is to provide an update in relation to the progress of the proceedings.
How have the proceedings progressed since September 2016?
1. The parties and 4 amicus curiae (“friends of the Court”) filed a series of pleading documents, affidavits and legal submissions in the period between 9 September 2016 and 20 January 2017. Those documents fix the scope of the proceedings. They also set out the parties’ respective positions on the issues to be decided by the Court.
2. The September explanatory memo referred to an application brought by Mr Schrems in which he asked the court to limit his costs’ exposure in the case. That application was withdrawn by Mr Schrems before it was due to be heard in November.
3. The case is listed for hearing on 7 February 2017. It is scheduled to run for approximately 3 weeks week.
4. In advance of the hearing, the High Court made a number of rulings on 27 January 2017 in relation to the conduct of the hearing. Amongst other things, the Court directed that the following basic running order will apply:
(a) The hearing will commence on 7 February 2017 with opening submissions from the DPC.
(b) Short opening statements will follow from Mr Schrems and Facebook, in that order.
(c) Mr Schrems’ expert witness will be cross-examined on Friday, 10 February 2017.
(d) This will be followed by cross-examination of the DPC’s expert witnesses, and those of Facebook.
(e) Each of the 4 “friends of the court” will then make legal submissions in relation to the matters in issue in the case.
(f) The case will close with submissions to be made by each of the parties, in the following sequence: Mr Schrems will go first; he will be followed by Facebook, and then the Commissioner.
There are also a number of other procedural issues that will also need to be decided by the Court in the course of the trial, at a time the Court considers appropriate. These include issues relating to the evidence which is to be admitted by the Court.
The DPC will publish one or more further updates on these proceedings, including in relation to the resolution of the outstanding procedural issues, as the hearing of the case progresses.
Explanatory Memo (28th September 2016)
On 31 May 2016, the Data Protection Commissioner (DPC) commenced proceedings in the Irish High Court. The purpose of the proceedings is to seek a reference to the Court of Justice of the European Union (CJEU) in relation to the “standard contractual clauses” mechanism under which, at present, personal data can be transferred from the EU to the US.
While the DPC does not seek any specific relief against Mr Schrems or Facebook Ireland Limited (FB), both of those parties were joined to the proceedings because the outcome of the case will impact on the DPC’s consideration of Mr Schrems’ complaint against Facebook (see further below). By joining Mr Schrems and FB to the proceedings, the DPC also ensured that those parties would have an opportunity (but not an obligation) to participate in the proceedings.
The purpose of this note is to explain the background to the case, the reasons why the DPC has taken the case and the current position in the High Court as of September 2016.
What is the background to the proceedings?
1. The case has its roots in a complaint about Facebook which was made to the DPC on 25 June 2013 by Mr Schrems, an Austrian national. Mr Schrems was concerned that, because his personal data was being transferred from FB to its US parent company Facebook Inc, his personal data was then being accessed unlawfully by US state security agencies. Mr Schrems’ concerns arose in light of the disclosures by Edward Snowden regarding a programme called “PRISM” said to be operated by the US National Security Agency (NSA). The data transfers by FB to Facebook Inc were being carried out under the Safe Harbour regime. This regime was established by way of an EU Commission decision in 2000 (the Safe Harbour Decision) which deemed the US to have an adequate level of data protection where the Safe Harbour regime was adhered to by parties involved in personal data transfers from the EU to the US.
2. The DPC declined to investigate Mr Schrems’ complaint as the DPC was bound under existing national and EU law to apply the Safe Harbour Decision. Mr Schrems then applied to the Irish High Court for a judicial review of this decision. On 18 June 2014, Mr Justice Hogan delivered his judgment holding that the essential question for determination was whether the DPC was bound by the Safe Harbour Decision as regards the adequacy of data protection law and practice in the US having regard to Article 8 of the EU Charter of Fundamental Rights (the “Charter”) which entered into force after the Safe Harbour Decision. Article 8 of the Charter establishes the right of every person to protection of their personal data. Because the Irish Court did not have authority to make any ruling in relation to the Safe Harbour Decision, it referred this issue to the CJEU to determine whether in light of Article 7 (the right to respect for private and family life, home and communications), Article 8 (mentioned above) and Article 47 (the right to an effective remedy where rights and freedoms guaranteed by EU law are violated) of the Charter, the DPC was correct in his view that he was bound in absolute terms by the Safe Harbour Decision.
3. In its judgment delivered on 6 October 2015 the CJEU ruled that, notwithstanding a decision of the EU Commission as to the adequacy of data protection provided by a third country (such as the Safe Harbour Decision), a data protection authority was not prevented from examining the complaint of a data subject as regards an alleged inadequate level of data protection provided by that third country. In fact the Court held that it was incumbent upon the national data protection authority to examine a complaint with all due diligence where the individual claimed that an EU Commission decision was incompatible with protection of privacy and fundamental rights and freedoms. However the CJEU made it very clear that although national data protection authorities may consider the validity of an EU act, such as an EU Commission decision, they cannot declare that decision invalid themselves and only the CJEU may. The CJEU went on to rule that the Safe Harbour Decision itself was invalid.
4. The CJEU gave very specific directions (paragraph 65 of the judgment) as to how European data protection authorities should in future deal with a complaint that calls into question a decision of the EU Commission, which the national data protection authority considers to be well founded. The data protection authority must engage in legal proceedings, the CJEU said, before its national courts and, if the national Court shares those doubts as to the validity of the EU Commission decision, the national Court must then make a reference to the CJEU for a preliminary ruling on validity.
5. When Mr Schrems’ proceedings were returned before the Irish High Court again on 20 October 2015 the decision of the CJEU was implemented by the making of a High Court Order which set aside the decision by the DPC not to investigate Mr Schrems’ complaint of 25 June 2013. The High Court then remitted Mr Schrems’ original complaint back to the DPC for investigation.
Why has the DPC taken the current proceedings?
6. Immediately following the Irish High Court Order of 20 October 2015, an investigation into Mr Schrems’ complaint was commenced. Later, Mr Schrems reformulated and resubmitted his complaint to take account of the fact that the Safe Harbour Decision had been struck down. The DPC agreed to proceed on the basis of that reformulated complaint.
7. In the course of its investigation, this office established that FB continues to transfer personal data to Facebook Inc, in reliance in large part on the use of standard contractual clauses (SCCs). These are pro forma agreements which have been approved, by way of certain EU Commission decisions, as providing adequate data protection for the purposes of transferring personal data to third countries.
8. Many other companies, including large internet companies, also use SCCs to transfer personal data to the US.
9. On 24 May 2016, the DPC issued a draft decision to Mr Schrems and FB, noting that the DPC had formed the preliminary view, subject to receipt of further submissions from the parties, that Mr Schrems’ complaint was well founded. This was based on the DPC’s view that:
(a) a legal remedy compatible with Article 47 of the Charter is not available in the US to EU citizens whose data is transferred to the US where it may be at risk of being accessed and processed by US State agencies for national security purposes in a manner incompatible with Articles 7 and 8 of the Charter;
(b) the SCCs do not address the CJEU’s objections concerning the absence of an effective remedy compatible with the requirements of Article 47 of the Charter as outlined in its judgment of 6 October 2015, nor could they; and,
(c) the SCCs themselves are therefore considered likely to offend against Article 47 insofar as they purport to legitimise the transfer of the personal data of EU citizens to the US.
10. In circumstances where the DPC considered that, as a matter of principle, the issuing of a notice prohibiting or suspending data transfers by FB to Facebook Inc. under Article 4(1) of the EU Commission decisions that adopted the SCCs did not provide an answer to the objections in question, the DPC was obligated to follow the judicial procedure which the CJEU had set out in paragraph 65 of its judgment of 6 October 2015 in Mr Schrems’ judicial review proceedings (described above at paragraph 4). This was because, as per the CJEU’s judgment any question concerning the validity of SCCs cannot be determined by the DPC, nor indeed by the national courts of this jurisdiction. Such questions can only be answered by the CJEU.
11. The DPC therefore commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions concerning SCCs and a preliminary reference to the CJEU on this issue. Both FB and Mr Schrems were named as the joining of these parties affords them an opportunity (but not an obligation) to fully participate if they so wish and to make submissions in the case.
12. In commencing the current proceedings, the DPC took account, not just of the significant issues arising in terms of citizens’ data privacy rights, but also of the very significant commercial implications arising from the value of data exchanges to EU-US trading relationships. The DPC recognised the necessity for an urgent resolution of the matters in question given the requirement of business for legal certainty at a time when the Safe Harbour Decision had been struck down and no alternative was at that point in place. Therefore the DPC brought an application to have the proceedings admitted into the Commercial List of the Irish High Court so that they could be determined as quickly as possible.
How far have the proceedings progressed?
13. The proceedings were commenced by the DPC on 31 May 2016. On 13 June 2016, on the application of the DPC, the proceedings were admitted into the Commercial List of the High Court.
14. Ten third parties subsequently applied to be joined to the proceedings as amicus curiae (“friends of the Court”). These were:
· the US Government,
· Electronic Privacy Information Centre (EPIC),
· BSA Business Software Alliance,
· Digital Europe,
· Electronic Frontier Foundation (EFF),
· the Irish Council for Civil Liberties,
· the American Civil Liberties Union,
· Mr Kevin Cahill,
· IBEC Limited and,
· the Irish Human Rights and Equality Commission.
On 19 July 2016 the Court ruled that four of the ten parties (the US Government, BSA Business Software Alliance, Digital Europe and EPIC) be joined to the proceedings as “friends of the Court”. This allows those parties to make representations to the High Court. The applications by the other parties were refused.
15. On 25 July 2016 the proceedings came before the High Court for directions for the progression of the case. A series of Court directions was made concerning the exchange of pleadings, affidavits and legal submissions between the parties over the course of a 5-month period commencing on 9 September 2016. This exchange is to be completed by 20 January 2017. The High Court also fixed a date for the hearing of the main action i.e. to determine the question as to whether it should make a referral to the CJEU in relation to the validity or otherwise of the EU Commission decisions on SCCs. The hearing before the High Court is due to commence on 7 February 2017 and is expected to run for approximately 3 weeks.
16. In the meantime, an application brought by Mr Schrems seeking a “protective costs order” (i.e. an Order of the High Court limiting Mr Schrems’ exposure to the legal costs incurred by the DPC and FB in the proceedings) is to be heard before the Court on 17 October 2016.
The DPC will publish procedural updates in the relation to the progression of these proceedings as further procedural steps occur.