Irish High Court rules on Max Schrems international data transfer case

3 Oct 2017

Max Schrems. Image: Institute of Network Cultures/Flickr (CC BY-NC-SA 2.0)

The Max Schrems case will now be going to the CJEU in Luxembourg.

A ruling given out today (3 October) on a data protection case will have repercussions for both individual data privacy and international business inside and outside of the European Union.

The case is in relation to a a complaint from Austrian lawyer and privacy advocate Max Schrems, who is opposed to the transfer of his personal data by Facebook’s EU headquarters in Dublin to its US base.

Data Protection Commissioner (DPC) Helen Dixon called to refer the case to the Court of Justice of the EU (CJEU). Contrary to the DPC’s wishes, both Schrems and Facebook said they would prefer the CJEU to remain uninvolved. Schrems argued that Dixon had enough information to finalise his complaint, while Facebook argued that US law provided adequate privacy protections for EU citizens.

Murky data laws

US surveillance laws allow data to be made available to the NSA, while EU data law requires that data transfer can only be undertaken if the individual’s data is protected. Schrems originally complained about the data transfers by Facebook in the wake of revelations made by Edward Snowden surrounding the NSA’s spying system, Prism, in 2014.

There is a complex web within this case, with many questioning the very possibility of mass data flows in and out of Europe, especially considering the US and EU viewpoints on data privacy. Traditionally, the US sees security and finance as a priority over individual privacy protections.

The case centres around the question of whether so-called standard contractual clauses (SCCs) used by companies to transfer personal data to different territories are valid.

The clauses are among a number of data transfer frameworks approved under existing EU data protection laws. They are designed to ensure that European citizens enjoy the same level of protection for their personal data when it is processed in the US as in the EU. These SCCs are used by thousands of companies who rely on them to transfer data to companies outside of the EEA.

What about Brexit?

As well as this, you have the elephant in the room wearing a Union Jack as a cape: Brexit. The UK will soon be a separate entity and will likely still want the same data-flow freedoms with EU countries, even as it exits the organisation.

This morning, Schrems confirmed via Twitter that the case would be referred to the CJEU.

Facebook’s response

A spokesperson for Facebook said: “Standard contract clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.

 “This ruling will have no immediate impact on the people or businesses who use our services. However, it is essential that the CJEU now considers the extensive evidence demonstrating the robust protections in place under standard contractual clauses and US law before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.”

Max Schrems. Image: Institute of Network Cultures/Flickr (CC BY-NC-SA 2.0)

Updated, 11.35am, 3 October 2017: This article was updated to include a statement issued by Facebook.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects