Last 3rd of October, the Irish High Court decided to paralyze the case between the Irish Protection Commissioner, Max Schrems and Facebook related with the transference of personal data of Europeans’ Facebook users from Facebook Ireland to Facebook, Inc; and decided to raise a series of questions to the Court of Justice of the European Union (CJEU) for a possible invalidity of the SCC Decision of the European Commission (Decision 2010/87/EU).
In the present post, I will make a brief summary about the problem detected by the Irish High Court.
Even if nowadays the questions have not been decided nor raised, the main controversy in the case has been stablished by Ms. Justice Costello, The Irish High Court Judge in charge of the case, in the resolution published last 3rd of October. And, which is this controversy? The Judge stated that that the SCC may not ensure the “adequate level of protection” required by the law.
The article 25(1) of the Directive stablish that a transfer of data outside of the EU can only be made when the third country ensures an adequate level of protection.
“The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.”
And, what does “an adequate level of protection” means?
The concept “adequate level of protection” was analyzed in the Sentence of the Case C-362/14 of the CJEU “Max Schems vs Data Protection Comissioner” -where the Safe Harbour system was invalidated-.
“The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. If there were no such requirement, the objective referred to in the previous paragraph of the present judgment would be disregarded. Furthermore, the high level of protection guaranteed by Directive 95/46 read in the light of the Charter could easily be circumvented by transfers of personal data from the European Union to third countries for the purpose of being processed in those countries”
So, even if the concept stablish that an identical protection guaranteed by the EU legal system is not necessary, it states that the third country should guarantee a level of protection equivalent for the fundamental rights and freedoms stablished in the Directive 95/46 and the Charter of Fundamental Rights.
And, which is the problem raised by the Irish High Court?
As it was uncovered by Edward Snowden in 2013, US uses mass surveillance programs targeted to US and Non-US citizens. In this case, probably the most relevant law related with mass surveillance programs is the FISA Section 702, as it is applicable to US companies that provides electronic communications services -like Facebook-.
The High Court questions that the SCC does not preserve the right to an effective remedy and to a fair trial established in the article 47 of the European Charter of Fundamental Rights, causing that the rights to respect for private and family life (article 7) and protection of personal data (article 8) are vulnerated. And that would mean that the SCC clauses does not ensure an “adequate level of protection” required by the article 25 of the Directive.
Why the High Court believes the right to an effective remedy and to a fair trial (article 47 ECFR) is not preserved?
The problem raised is that the Non-US persons are not covered by constitutional protections in the US and they have several difficulties to access to the remedies to an unlawful processing of data.
These are the most relevant paragraphs of the resolution of the Irish High Court about this issue:
“230. Under FISA, the personal data of an EU citizen can be seized, accessed and retained by a US government agency without the agency proving probable cause prior to obtaining a warrant in respect of the individual EU citizen from the FISC. There is no need to obtain any authorization for surveillance conducted under EO 12333.
231. By far the most significant avenue of redress for unlawful interference with personal data is a claim for violation of the provisions of the Fourth Amendment. Such a claim is not open to EU citizens lacking a substantial voluntary connection with the US.
234. In my opinion, despite the number of possible causes of action, it cannot be said that US law provides the right of every person to a judicial remedy for any breach of his data privacy by its intelligence agencies. On the contrary, the individual remedies are few and far between and certainly not complete or comprehensive.”
In the next days we will know the exact questions that will be raised to the CJEU. However, the resolution to this case will take another one or two years -as it happened with the Safe Harbour Case-.
Nowadays, the transfers of personal data between Facebook Ireland and Facebook, Inc are not covered by the Contract based in SCC between these companies but by the Privacy Shield approved last year (more information about Privacy Shield can be found here).
More information about the case can be found in the website http://www.europe-v-facebook.org.