Tuesday 20 March 2018

Judge asks EU court to clarify rules over Facebook data sharing allegations

The challenge over Facebook privacy has been referred to the European Court of Justice
The challenge over Facebook privacy has been referred to the European Court of Justice

THE European Court of Justice (ECJ) is to be asked to examine the law governing data protection following a student's legal challenge over the rejection of his complaint about the mass transfer of data held by Facebook to the US intelligence services.

Max Schrems, an Austrian post-graduate law student behind a data privacy campaign group called "Europe v Facebook",  brought a High Court challenge claiming Ireland's Data Protection Commissioner Billy Hawkes  wrongly interpreted and applied the law governing the mass transfer of personal data of Facebook users to the US National Security Agency (NSA). 

Mr Hawkes found Mr Schrems' complaint did not meet the threshold required to merit investigation.

Mr Schrems asked Mr Justice Gerard Hogan to quash that decision and refer it back to Mr Hawkes for re-consideration.  

He said the Commissioner's decision was irrational and he also asked that a preliminary reference on the matter be made to the ECJ.

Mr Hawkes, who found Facebook had acted within the terms of an EU-US data-sharing agreement in July 2000 called "Safe Harbour", opposed the action. 

He found Facebook had no case to answer and was in compliance with the relevant regulations.

The court heard Mr Hawkes rejected suggestions that he was not prepared to take on big companies arguing that  he was already investigating 22 other similar complaints, but found Mr Schrems' case did not warrant an investigation.

Today, Mr Justice Hogan said he was referring the matter to the ECJ for re-evaluation given that "much has happened" since the 2000 Safe Harbour agreement. 

This included the enhanced threat to national and international security from rogue States, terrorist groups and organised crime, disclosures regarding mass and undifferentiated surveillance of personal data by US security forces, and the advent of social media.

The main development, from a legal perspective however, was the introduction, after July 2000, of Article 8 of the Charter of Fundamental Rights of the European Union governing personal data, he said.

While Mr Schrems maintained Mr Hawkes had not adhered to the requirements of EU law by rejecting his (Schrems) complaint, the opposite was the truth, the judge said.  

Mr Hawkes had demonstrated "scrupulous steadfastness" to the letter of a 1995 EU directive (95/46/EC) which gave rise to the Safe Harbour agreement, he said.

Mr Schrems' objection was, in reality, to the terms of the Safe Harbour regime itself rather that to the manner in which Mr Hawkes had actually applied that regime, he said.

There was perhaps much to be said for the argument that Safe Harbour itself has been overtaken by events including the revelations by former NSA computer systems administrator Edward Snowden, which may be thought to have exposed "gaping holes" in contemporary US data protection practice, the judge said.

However, Mr Schrems had not challenged the validity of either the Safe Harbour decision or of the original 1995 EU directive.

In those circumstances, Mr Hawkes is bound by the 2000 Safe Harbour decision and until the issue of re-evaluating that decision is dealt with, in light of the subsequent introduction of the Fundamental Charter data protection rights, Mr Schrems' application for judicial review and the complaint to Mr Hawkes must fail, he said.

Given the general novelty and practical importance of the issues raised, which have considerable practical implications for all 28 EU member states, it was appropriate that this question should be determined by the ECJ, he said.   

His case therefore stood adjourned and the judge put it back until next month for papers of the referral to the ECJ to be prepared.

Online Editors

Today's news headlines, directly to your inbox every morning.

Editor's Choice

Also in Irish News