Law student’s complaint over handling of data reverberates globally

European Court of Justice hearing on data privacy could have profound implications

Austrian law student   Max Schrems: the case heard on Tuesday originates in an action brought by him against the Irish Data Protection Commissioner, in which he asserted the commission should have taken more substantial action when he filed a complaint over Facebook’s handling of his data. Photograph:   Dieter Nagl/AFP/Getty Images
Austrian law student Max Schrems: the case heard on Tuesday originates in an action brought by him against the Irish Data Protection Commissioner, in which he asserted the commission should have taken more substantial action when he filed a complaint over Facebook’s handling of his data. Photograph: Dieter Nagl/AFP/Getty Images

On Tuesday, the European Court of Justice heard an Irish case – referred from the High Court – that could have profound implications for international business and politics. Its importance cannot be overstated, and should not be underestimated by US and European governments or any company involved in data management and transfer (who isn't, these days?).

The case originates in an action brought against the Irish Data Protection Commissioner by Austrian law student Max Schrems, in which he asserted the commission should have taken more substantial action when he filed a complaint over Facebook's handling of his data.

Schrems argued that his data was not adequately protected under his privacy entitlements as an EU citizen, especially given that Facebook was now known to have been one of the companies handing over user data to the US National Security Agency through the secret Prism programme. Prism was revealed by whistleblower Edward Snowden in mid-2013.

Schrems’ action – taken in Ireland because Facebook’s European headquarters is here – began before Snowden’s disclosures, but Schrems later argued they gave his complaint additional weight.

READ MORE

Safe Harbour

At the heart of this week’s European Court of Justice hearing is the functional validity of a set of data-handling principles called Safe Harbour, drawn up in 2000 between the US and EU. Under Safe Harbour, the US promises US organisations will handle EU citizen data in line with EU law. That the entire Safe Harbour edifice is now, critically and rightly, under scrutiny by the court’s 16-judge panel this week, is down to the Irish High Court and Mr Justice Gerard Hogan.

He oversaw the 2014 judicial review requested by Schrems of the commission decision. The commission had refused to take Schrems’s complaint to US authorities, arguing the broader issue of Safe Harbour’s compliance with EU data-protection law was a matter for high-level political discussion.

Schrems said his case highlighted Safe Harbour’s inadequacy, because his Facebook data indicated uses beyond the Safe Harbour principles, even the potential of it being passed to the NSA.

However, Mr Justice Hogan said Schrems's High Court case had failed to lay out a direct challenge to the legality of Safe Harbour, instead focusing on how the commission applied that agreement. On that point, the judge decreed that the commission had adhered with "scrupulous steadfastness" to its mandate within Irish law (though the court questioning indicated Ireland's application of that law may yet prove problematic for the Government).

The court could not be asked specifically for a direction on Safe Harbour, since – again, almost inconceivably – such a direct challenge was not the subject of the original complaint.

Mr Justice Hogan (and certainly Max Schrems) understood the importance of the determination. The judge had noted with considered understatement in 2014, “much has happened” since Safe Harbour came into effect, not least article 8 of the July 2000 Charter of Fundamental Rights of the EU affirming data protection as a right.

Privacy advocate Digital Rights Ireland was appointed an “amicus” in the case – an advisory role. It argued before the European Court of Justice that Safe Harbour could not be considered safe at all and, indeed, never could have been as it always allowed for new US state or federal laws to override its provisions.

In robust questioning, the court validated these concerns, indicating it too saw the functionality of Safe Harbour as a key issue arising from the case.

The court has form in acting firmly on core data privacy issues. This court overturned the EU's data retention directive last year, based largely on a case brought by Digital Rights Ireland against the State. In a case involving Google, the court introduced the notion of a nominal "right to be forgotten" under which EU citizens can request search engine links be removed to some types of outdated or incorrect information.

What happens if – as seems highly likely – the court rejects Safe Harbour when it makes its final decision in autumn, potentially halting all data transfers between the EU and US? There’s only one, short, answer: the EU and US must complete 18 months of ongoing negotiations for a post-Snowden Safe Harbour overhaul, or risk catastrophe for businesses and other organisations exchanging data.

Irish data centres

But you can bet the big multinationals are not relying on a just-in-time political solution. Businesses have to comply with EU law. Safe Harbour was offered as a direct, express route for doing so, but isn’t a legal requirement in itself.

Business realpolitik means firms have perhaps six months to figure out ways of segregating European data so that it can be handled and processed within the EU. Which goes to show that those US companies busy expanding their EU-based data centres in the past year are the ones which have correctly been reading the political as well as business tea leaves.