Sunday 15 September 2019

Court sets 11 questions for Facebook privacy test case

Austrian activist Max Schrems made a data privacy compliant
Austrian activist Max Schrems made a data privacy compliant

Tim Healy

A High Court judge has set out 11 questions for determination by the Court of Justice of the EU (CJEU) on whether European Commission decisions approving EU-US data transfer channels are valid.

The questions were formulated after the judge heard submissions from the sides on her October judgment on proceedings by the Data Protection Commissioner (DPC) concerning a complaint by Austrian lawyer Max Schrems that transfer of his personal Facebook data by Facebook Ireland to the US breached his data privacy rights as an EU citizen.

The questions raise significant issues of EU law, including whether the High Court has correctly found there is "mass indiscriminate processing" of data by US government agencies under security programmes authorised there and known as PRISM and Upstream.

The questions also ask whether EU law applies to the processing of personal data for national security purposes. The CJEU must also decide the extent of a data protection authority's (DAA) power to suspend data flows if it considers a third country is subject to surveillance laws which conflict with EU law.

Ms Justice Caroline Costello set out the questions on Thursday in a formal request to the CJEU. Paul Gallagher SC, for Facebook, asked for time to consider that in the context of possibly seeking an appeal against the judge's decision to make a reference to the CJEU in the first place.

Michael Collins SC, for the DPC queried whether there was any entitlement to appeal a High Court decision to direct a reference but did not object to Facebook being given a short time to consider its approach.

The judge said she was anxious to make the referral but would allow Facebook until April 30 to make its case. Among the questions the CJEU must decide is whether personal data transferred from the EU to the US under existing EC decisions violates personal and data privacy provisions in the EU Charter.

The Data Protection Commissioner brought the proceedings against Facebook Ireland, because its European headquarters are here, and Max Schrems, who both opposed a reference for different reasons.

Ms Justice Costello agreed to refer the case after concurring with the Commissioner there are "well-founded" grounds for believing the EC decisions approving data transfer channels, known as Standard Contractual Clauses (SCCs), are invalid.

Irish Independent

Also in Business