On July 31, 2018, the Irish Supreme Court made the unprecedented decision to grant Facebook leave to appeal the Irish High Court’s referral of certain matters in an ongoing data privacy case to the European Court of Justice (“ECJ”). The Irish High Court had referred questions relating to the validity of certain data transfer channels, known as controller to processor standard contractual clauses (“SCCs”), and the legal status of transfers of EU citizens’ data, to the United States under such SCCs.
This is the latest development in a long-running legal battle between Facebook and Austrian privacy campaigner, Maximilian Schrems. Schrems originally complained to the Irish Data Protection Commissioner (“DPC”) in 2013 that the transfer of his personal data from Ireland to the United States by the European subsidiaries of five American tech giants did not afford adequate protection and that, in particular, the bulk accessing of such personal data under U.S. government mass surveillance programs (such as the National Security Agency’s Prism data collection program) contravened the fundamental privacy and data protection rights of EU citizens. Consequently, in 2015, the ECJ delivered a landmark judgment that declared that the EU-U.S. “safe harbor” data transfer arrangement (“Safe Harbor”) was invalid. With the Safe Harbor no longer an option, many businesses, including Facebook, relied on SCCs (though it should be noted that the European Commission subsequently negotiated a new mechanism in 2016, the EU-U.S. Privacy Shield, which is now used by more than 3,400 companies to simplify the process of authorising transfers of EU citizens’ personal data to the United States).
The ECJ's 2015 decision striking the Safe Harbor cast doubt on the validity of other data transfer mechanisms including the SCCs, and this is now the focus of the Facebook case. Schrems and the DPC contend that the SCCs, like the Safe Harbor, provides no protection from access by U.S. intelligence services and that EU citizens have a lack of effective legal redress in the United States, should their data be mishandled by U.S. public authorities. As part of its grounds of appeal, Facebook argued that the introduction of the General Data Protection Regulation (“GDPR”) in the time between the making of the reference by the Irish High Court and the date on which the ECJ will consider the matters meant that the legal background and context was now different, rendering the reference inappropriate.
In view of the urgency, the five-judge Supreme Court directed that the appeal should be heard before the end of 2018. In the meantime, the DPC acknowledged that many businesses rely on SCCs for EU-U.S. data transfers and emphasised that the High Court's judgment does not invalidate SCCs or prohibit their future use. Under Article 46(5) of the GDPR, existing SCCs remain valid and in force until amended, replaced, or repealed.