Facebook privacy case to be referred to European Court of Justice

Europe v Facebook

The High Court in Ireland has referred a data-sharing case to the European Court of Justice (ECJ), over the social network’s relationship with the NSA and its PRISM programme.

The referral follows a High Court Challenge by Austrian law student Max Schrems who fronts a privacy group called ‘Europe v Facebook’.

Europe v FacebookSchrems claims that Ireland’s Data Protection Commissioner Billy Hawkes erroneously interpreted and applied the law when he rejected a complaint about the mass transfer of Facebook users’ data to the US National Security Agency.

The Commissioner had argued that an investigation was not necessary since Schrems could not prove that his own data had been accessed.

The Commissioner ruled that Facebook’s transfer of data fell within the terms of an EU-US data-sharing agreement made in July 2000 called ‘Safe Harbour’ which, he said, is compatible with the requirements of the EU Data Protection Directive.

Europe v Facebook, however, argues that, because Facebook has a subsidiary in Dublin, the firm is “subject to European privacy and consumer law, which is generally tougher than US laws.”

The group claims that the manner in which Facebook processes its users’ information lacks transparency and user control which, it says, makes it “illegal under EU law.”

The campaigners lodged numerous complaints against Facebook Ireland with the Commissioner’s Office which led to an audit of the company.

Facebook subsequently agreed to change its privacy policy but the group claims that those changes are not far-reaching enough.

Europe v Facebook therefore asked the Irish High Court to review the Commissioner’s decision. The court, however, decided on Wednesday that the issue at question was not the actions of the Data Protection Commissioner himself, but rather the effectiveness of the Safe Harbour agreement.

High Court Justice Gerard Hogan said in his ruling:

There is, perhaps, much to be said for the argument that the Safe Harbor Regime has been overtaken by events. The Snowden revelations may be thought to have exposed gaping holes in the contemporary US data protection practice. It must be again stressed, however, that neither the validity of the 1995 Directive nor the validity of the Commission's Safe Harbour decision have, as such, been challenged in these proceedings.

Additionally, the judge also pointed out that Schrems was not required to prove that his own data had been spied upon in order to make a complaint:

Quite obviously, Mr Schrems cannot say whether his own personal data has ever been accessed or whether it would ever be accessed by the US authorities. But even if this were considered to be unlikely, he is nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the US security authorities.

Justice Hogan conceded that Facebook users should have their privacy respected under the Irish constitution:

For such interception of communications to be constitutionally valid, it would, accordingly, be necessary to demonstrate that this interception and surveillance of individuals or groups of individuals was objectively justified in the interests of the suppression of crime and national security and, further, that any such interception was attended by the appropriate and verifiable safeguards.

Hogan also conceded that the PRISM surveillance programme was not entirely compatible with Irish law which seeks to protect citizen’s data and the sanctity of their own homes:

It is very difficult to see how the mass and undifferentiated accessing by state authorities of personal data generated perhaps especially with the homeā€¦ could survive constitutional scrutiny.

The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life with the home would be immune from potential state scrutiny.

Such a state of affairs - with its gloomy echoes of the mass state surveillance programmes conducted in totalitarian states such as the German Democratic Republic of Ulbricht and Honecker - would be totally at odds with the basic premises and fundamental values of the Constitution.

After the ruling was given, Schrems took to Twitter to declare that the Irish court’s referral to the ECJ was the best thing that could have happened, adding that, “We expected to win it in Ireland, but having a European ruling on it is more than we could have asked for.”

Europe v Facebook pointed out that the ruling could have far-reaching consequences, saying that, “news media does not seem to get that the Irish referral questions the basis of most EU-US data flows… huge impact!”

The case has now been adjourned until next month to allow for the preparation of papers for the referral. The subsequent verdict from the ECJ is likely to apply to all US companies that have participated in the PRISM programme and who also trade in Europe.