Facebook has failed in its last ditch attempt to block a referral by Ireland’s High Court of questions over the legality of EU-US data transfer mechanisms to the region’s top court.
Ireland’s Supreme Court unanimously refused its request to appeal the decision Friday, via Reuters.
Irish law does not include a provision to appeal against referrals to the CJEU but Facebook sought to both stay and appeal the decision anyway.
It was denied the stay but granted leave to appeal last year — only for the Supreme Court to extinguish its hope of preventing Europe’s top judges from weighing in on privacy concerns attached to key data transfer mechanisms which are used by thousands of companies to authorize flows of EU citizens’ personal data to the US.
The case originates in a complaint against Facebook’s use of another data transfer mechanism, Standard Contractual Clauses (SCCs), by lawyer and EU privacy campaigner, Max Schrems.
He famously brought down the prior EU-US data transfer arrangement, Safe Harbor — after successfully challenging its legality in the wake of NSA whistleblower Edward Snowden’s 2013 disclosures about US government mass surveillance programs. (Hence this follow-on challenge being referred to as ‘Schrems II‘.)
“Facebook likely again invested millions to stop this case from progressing. It is good to see that the Supreme Court has not followed Facebook’s arguments that were in total denial of all existing findings so far,” said Schrems in a statement responding to the Supreme Court’s rejection of Facebook’s appeal. “We are now looking forward to the hearing at the Court of Justice in Luxembourg next month.”
Also commenting in a statement, a Facebook spokesperson said: “We are grateful for the consideration of the Irish Court and look ahead to the Court of Justice of the European Union to now decide on these complex questions. Standard Contract Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and are used by thousands of companies across Europe to do business.”
Schrems’ complaint to the Irish data protection regulator led, rather unusually, to the watchdog to itself refer privacy concerns to the courts — which then widened the complaint, asking for the CJEU’s opinion on a range of fine-grained points around whether EU citizens’ rights are being adequately protected by both Privacy Shield and SCCs.
It’s shaping up as to be a replay of the close CJEU scrutiny that skewered Safe Harbor — a definitive strike down that instantly left thousands of companies scrambling to put in place alternative legal arrangements to avoid illegally processing EU citizens’ data.
At the time of writing there are 4,756 organizations signed up to the replacement Privacy Shield framework.
The European data protection landscape has also evolved since 2015 — with the General Data Protection Regulation (GDPR) ramping up the size of potential fines for privacy violations.
SCCs were one of the alternative mechanisms the European Commission suggested companies use in the interim between Safe Harbor’s demise in fall 2015, and Privacy Shield getting up and running, in mid 2016, although they too are now facing legal questions, per the Schrems II case.
During renegotiations and since, the European Commission has always maintained that the Privacy Shield framework — which bakes in an annual review, and makes provision for an ombudsperson to handle any EU citizens’ complaints about how US companies handle their data — is more robust than its predecessor mechanism, claiming too that it is confident it will survive legal testing.
That confidence will soon be tested at Europe’s highest legal level.
Meanwhile both Privacy Shield and SCCs are not short of critics — including from within the EU’s institutions, with both the parliament and an influential body representing national data protection watchdogs expressing ongoing concerns.
The Trump administration’s entrenchment of privacy hostile surveillance laws targeting non-US citizens has not helped Privacy Shield’s cause.
The US under Trump has also been tardy to fulfil key posts the Commission has said are required for full functioning of privacy shield — leading even it to apply a compliance deadline earlier this year.
To a degree, all that is just fiddling round the edges, though, vs the core contention at the heart of the complaints driving challenges to Privacy Shield and SCCs — i.e. that there is a fundamental incompatibility between US law that prioritizes national security and EU law which privileges personal privacy — which Europe’s top judges will soon be weighing in on again.
It’s already been more than a year since Ireland’s High Court referred eleven questions to the CJEU. And while the court can take years to deliberate it’s worth noting that it did not do so with the original Schrems challenge. In that case judges took only a little over a year to return their landmark verdict to strike down Safe Harbor, demonstrating they are willing to move quickly to defend EU privacy rights against the threat of mass surveillance.
Now, with Facebook’s last ditch attempt to de-rail the CJEU referral kicked into touch, it’s quite possible they will could move just as quickly towards a verdict on Schrems II. Certainly if they feel EU citizens’ fundamental rights are being infringed.
Privacy Shield is also facing a legal challenge brought by French digital rights groups — who similarly argue that it breaches fundamental EU rights. That complaint will be heard by the General Court of the EU on July 1 and 2.