EU to review "safe harbour" data transfer agreement after High Court in Ireland refers Facebook privacy case to CJEU

Out-Law News | 20 Jun 2014 | 5:20 pm | 3 min. read

The European Union will review the "safe harbour" agreement which allows US technology companies to transfer data across borders without European oversight EU justice commissioner Viviane Reding has said, according to the Financial Times. 

Reding has told ministers that her office has begun an assessment of the safe harbour agreement which is used by internet companies including Facebook and Google, as well as thousands of smaller US tech companies.

The safe-harbour agreement may not be so safe after all,” Ms Reding said arguing “it could be a loophole” that allowed companies to shift data to the US where “data protection standards are lower than our European ones”.

Her announcement comes after the High Court of Ireland referred to the European Court of Justice a case brought by privacy campaigners who are seeking an investigation into allegations that companies including Facebook, which has its European headquarters in Ireland, helped the US National Security Agency (NSA) harvest email and other private data from European citizens.

Austrian student Max Schrems, who is part of the Europe-v-facebook campaign group, brought the case after former US National Security Agency (NSA) contractor Edward Snowden claimed that the NSA was secretly accessing users' private data in several internet firms, including Facebook, as part of its Prism surveillance programme. The campaign group argues that because Facebook has founded a subsidiary in Dublin, the firm "is subject to European privacy and consumer law, which is generally tougher than US laws", reported the BBC. They claim the way Facebook processes its users' information lacks transparency and user control, alleging this makes it "illegal under EU law".

Schrems has argued that Ireland's data protection commissioner wrongly refused to investigate Snowden’s claims that Facebook passed its EU users’ data to the NSA.

The High Court judge this week adjourned the case in the Irish court, pending the referral to CJEU, said the Irish Times.

The Irish court has asked the CJEU to examine whether an investigation can be launched in Ireland given Snowden's allegations. The CJEU has also been asked to rule on whether the Irish Data Protection Commission is bound by a European Commission decision that US data protection rules are adequate if information is passed by companies to its security agencies on a "self-certify" basis, according to the BBC.

According to the Irish Times, lawyers for Schrems said that Ireland's data protection commissioner was not entitled to “turn a blind eye” to the allegations by the former NSA contractor. Schrems alleged that Ireland's data protection commissioner wrongly interpreted and applied the law governing the transfer of personal data from Europe to the US when he rejected Schrems’ complaint last year.

However lawyers acting for Billy Hawkes, the Irish data protection commissioner, said the controversy was a result of Snowden's allegations and was therefore a matter for the political level, the Irish Times reported. The transfer of data from firms in the EU to the US is subject to the transatlantic Safe Harbour arrangement which dates from 2000. The European Commission has previously expressed concern that the NSA surveillance programme Prism exposed a loophole in the Safe Harbour agreement. Hawkes must await the outcome of “political negotiations” in Europe on the Safe Harbour law, his lawyer said, according to the Irish Times. 

Schrems said he was not challenging the validity of the Safe Harbour agreement but the operation of it. He argued that the transfer of data to the NSA was not in accordance with any exceptions under the agreement. Schrems also argued that Safe Harbour rules are subject to rights which are contained in EU directives, under the European Convention on Human Rights and under national law, the newspaper reported.

Mr Justice Gerard Hogan said that the evidence suggested that personal data was “routinely accessed on a mass and undifferentiated basis by the US security authorities”, according to the Irish Times.  He said that Irish law had effectively been “pre-empted” by EU law, specifically the provisions of a 1995 directive and the 2000 decision establishing the Safe Harbour regime.

The European Commission found with the 2000 decision that US data protection law and practice was sufficient to safeguard the rights of European data subjects, the judge said according to the Irish Times.  Article 25(6) of the 1995 directive also made it clear that national data protection authorities must comply with findings of this nature.

The judge also said the privacy of Facebook users should be respected under the Irish constitution.

"For such interception of communications to be constitutionally valid, it would, accordingly, be necessary to demonstrate that this interception and surveillance of individuals or groups of individuals was objectively justified in the interests of the suppression of crime and national security and, further, that any such interception was attended by the appropriate and verifiable safeguards," the judge said, according to the BBC.