Data Commissioner must halt transfers to the US, court told
AUSTRIAN lawyer Max Schrems believes the Irish Data Protection Commissioner is required under EU law to suspend transfers of the personal data of EU citizens to the US - with no need to first go to the European courts, the High Court has heard.
That obligation arises without a need for the Court of Justice of the EU (CJEU) to first decide on the validity of European Commission decisions approving the use of data transfer channels known as standard contractual clauses (SCCs), Eoin McCullough SC, for Mr Schrems, argued.
Paul Gallagher SC, for Facebook, said what Mr Schrems was seeking was "extraordinary" with enormous implications for Facebook and other large entities but for many small firms engaged in transatlantic trade.
Ms Justice Caroline Costello heard a brief outline of arguments on behalf of Mr Schrems and Facebook yesterday in the continuing action by Commissioner Helen Dixon to have the Irish court ask the CJEU to determine the validity or otherwise of the SCC decisions.
The action arises from a complaint by Mr Schrems that his EU data privacy rights were breached by transfer of his personal data by Facebook Ireland - Facebook's European headquarters - to its parent in the US, Facebook Inc.
The case is against Mr Schrems and Facebook but no orders are sought against them and the Commissioner's objective is to secure a CJEU determination before she finalises her decision on Mr Schrems's complaint.
The proceedings for a referral were taken after the Commissioner made a draft finding in May 2016 that Mr Schrems had "well-founded" objections over the data transfers. This was based on her draft view US law does not provide an effective remedy, within Article 47 of the EU Charter of Fundamental Freedoms, for breach of data privacy rights of EU citizens.
Yesterday, Mr McCullough said Mr Schrems agreed with the Commissioner on the absence of an effective judicial remedy under US law and that such remedies as are available do not meet EU law requirements due to a range of exemptions, wide immunities and barriers
Where Mr Schrems differed from the Commissioner is that he considers it is neither necessary nor appropriate, or it is at least premature, to make a reference to the CJEU, counsel said.
Mr Schrems's complaint over transfer of his personal data is not limited to the SCCs but extends to other data transfer channels, counsel said. The complaint can be decided by the Commissioner on the material already available, including the CJEU decision striking down the Safe Harbour arrangement for data transfers, counsel argued.
Mr Schrems considered the material relied on by the Commissioner in seeking this reference should automatically lead to the Commissioner suspending data transfers, he said.
Mr Gallagher said what Mr Schrems wanted was "extraordinary" but his side's focus was on Facebook's opposition, for different reasons to Mr Schrems, to a reference to the CJEU.
The Commissioner's draft decision that Mr Schrems has "well-founded" objections to data transfers was "deeply flawed", based on a "wrong" assessment and had been overtaken by events, including the 2016 EU-US Privacy Shield framework agreement for data transfer, counsel said.
A reference to the CJEU would have "enormous consequences", casting doubt on the Privacy Shield framework which was not part of this application, he added. The case continues.