The High Court has reserved judgment on an action by the Data Protection Commissioner with potentially enormous implications for trade between the European Union and United States and the privacy rights of millions of EU citizens.
Ms Justice Caroline Costello heard final arguments in the 21-day case on Wednesday, after which she reserved her decision.
The legal costs are expected to amount to several million euro.
Privacy
Commissioner Helen Dixon wants the judge to ask the Court of Justice of the EU (CJEU) to decide the validity or otherwise of European Commission decisions approving data transfer channels known as standard contractual clauses (SCCs).
Her application arises following a complaint made in 2013 by Austrian lawyer Max Schrems alleging his data privacy rights as an EU citizen were breached by transfer of his personal data by Facebook Ireland – because Facebook's European headquarters are here – to its US parent, Facebook Inc.
That complaint led to an earlier reference by the High Court to the CJEU which resulted in the European court striking down the Safe Harbour arrangement for data transfers.
Mr Schrems’s complaint was then subject to an investigation by Ms Dixon who, in a draft finding last May, found he had “well-founded” objections over data transfers based on her views about the adequacy of remedies available in the US for EU citizens who allege breach of their data privacy rights.
She wants the Irish court to ask the CJEU to decide on the validity of the European Commission decisions approving the SCCs before finalising her decision on Mr Schrems’s complaint. Her concern is “to get it right”, the court heard.
The case is against Facebook and Mr Schrems who, for different reasons, oppose a referral.
Facebook argued the commission’s draft finding is wrong and failed to take into account the 2016 agreement between the European Commission and US on a “Privacy Shield” framework for data transfers.
Mr Schrems argues a reference is unnecessary or at least premature in circumstances including, he alleges, that the commissioner has not yet fully investigated his complaint.
The judge also heard evidence from various experts on US law, along with arguments opposing referral from the US government, Digital Europe and the Business Software Alliance.
Decision
The US government disputed the claims of inadequate protections there and it and the other two bodies also argued there would be potentially enormous adverse consequences for trade, business and economic interests in the EU, US and beyond if the SCCs were found invalid.
Lawyers for the Electronic Privacy Information Centre, a Washington-based non-governmental organisation, endorsed the commissioner’s concerns about adequacy of remedies in the US.
In final arguments on Wednesday, Brian Murray SC, for the commissioner, and Paul Gallagher SC, for Facebook, strongly disagreed on the relevance of the Privacy Shield decision to the issues the Irish court has to decide.
Mr Gallagher said it seemed the court was being asked to “ignore” that the Privacy Shield decision included a “binding” decision on the adequacy of protections in the US.
Mr Murray said this case was about the validity of the SCC decisions and, while the commissioner was not arguing that the court should not have regard to the Privacy Shield decision, Facebook appeared to be relying on "recitals" in that which were "not generally binding".
That decision was by the European Commission, his side argued it was wrong, and the appropriate body to determine the issues raised in this case was the CJEU, counsel said.