Austrian lawyer Max Schrems believes the Irish Data Protection Commissioner is required under law, and with no need to first go to the European courts, to suspend transfers of the personal data of EU citizens to the US, the High Court has heard.
That obligation arises without a need for the Court of Justice of the EU (CJEU) to first decide on the validity of European Commission decisions approving the use of data transfer channels known as standard contractual clauses (SCCs), Eoin McCullough SC, for Mr Schrems, argued.
Paul Gallagher SC, for Facebook, said what Mr Schrems was seeking was "extraordinary" with enormous implications not just for Facebook and other large entities but also for many small firms engaged in transatlantic trade.
Ms Justice Caroline Costello heard a brief outline of arguments on behalf of Mr Schrems and Facebook on Thursday in the continuing action by commissioner Helen Dixon to have the Irish court ask the CJEU to determine the validity or otherwise of the SCC decisions.
The action arises from a complaint by Mr Schrems that his EU data privacy rights were breached by transfer of his personal data by Facebook Ireland – because Facebook’s European headquarters are in Ireland – to its parent in the US, Facebook Inc.
No orders sought
The case is against Mr Schrems and Facebook but no orders are sought against them and the commissioner’s objective is to secure a CJEU determination before she finalises her decision on Mr Schrems’ complaint.
The proceedings for a referral were taken after the commissioner made a draft finding in May 2016 Mr Schrems had “well-founded” objections over the data transfers, based on her draft view that US law does not provide an effective remedy, within the meaning of article 47 of the EU Charter of Fundamental Freedoms, for breach of data privacy rights of EU citizens.
On Thursday, Mr McCullough said Mr Schrems agreed with the commissioner on the absence of an effective judicial remedy under US law and on the premise that such remedies as are available do not meet EU law requirements due to a range of exemptions, wide immunities and barriers
Where Mr Schrems differed from the commissioner is that he considers it is neither necessary nor appropriate, or it is at least premature, to make a reference to the CJEU, counsel said.
Mr Schrems’ complaint over transfer of his personal data is not limited to the SCCs but extends to other data transfer channels, counsel said. The complaint can be decided by the commissioner on the material already available, including the CJEU decision striking down the Safe Harbour arrangement for data transfers, counsel argued.
Mr Schrems considered the material relied upon by the commissioner in seeking this reference should automatically lead to the commissioner suspending data transfers, he said.
The relevant law meant a referral to the CJEU has to be “necessary” for a decision on Mr Schrems’ complaint, there was no such necessity and the commissioner had sought to create a necessity, he argued.
Arguments for Facebook
Beginning his arguments for Facebook, Mr Gallagher said what Mr Schrems wanted was “extraordinary” but his side’s focus was on Facebook’s opposition, for different reasons to Mr Schrems, to a reference to the CJEU.
The commissioner’s draft decision that Mr Schrems has “well-founded” objections to data transfers was “deeply flawed”, based on a “wrong” assessment and had been overtaken by events, including the 2016 EU-US Privacy Shield framework agreement for data transfer, counsel said.
A reference to the CJEU would have “enormous consequences”, casting doubt on the Privacy Shield framework which was not part of this application and due for review in July, he added.
The case continues on Friday.