Maximillian Schrems v Data Protection Commissioner (No.2)

JurisdictionIreland
JudgeMr. Justice Gerard Hogan
Judgment Date16 July 2014
Neutral Citation[2014] IEHC 351
CourtHigh Court
Date16 July 2014
Schrems v Data Protection Cmsr (No 2)
BETWEEN/
MAXIMILLIAN SCHREMS
APPLICANT

AND

DATA PROTECTION COMMISSIONER (No.2)
RESPONDENT

[2014] IEHC 351

[No. 765JR/2013]

THE HIGH COURT

Judicial Review – Application for joinder as amicus curiae – Data Protection – Procedure – National Security Agency – Jurisdiction – Personal Data – Data Protection Commissioner

These proceedings involved the applicant, Schrems, challenging a decision of the Data Protection Commissioner not to investigate a complaint of his pursuant to s. 10(1)(b) of the Data Protection Act 1988.Following Edward Snowden”s disclosure concerning the activities of the US National Security Agency (NSA), the applicant sought an investigation into that there was no meaningful protection in US law and practice in respect of data so transferred to the US so far as State surveillance was concerned. Judgment against the applicant came in the High Court and it was found there was no evidence that the applicant”s personal data had been so accessed by the NSA. The applicant now sought an application before Hogan J. in the High Court that the party Digital Rights Ireland Ltd (DRI) be joined to the judicial review proceedings as amicus curiae.

Hogan J. considered the two most pivotal issues that needed to be addressed, namely, should DRI be joined as amicus curiae to the present proceedings? And secondly, even if it were to be so joined, should it be permitted to have an additional question or questions added to the proceedings? Taking the issues in turn, Hogan J, with the guidance of I. v. Minister for Justice, Equality and Law Reform [2003] IESC 42, considered the jurisdiction of the High Court to allow a joinder by amicus curiae. Hogan J remarked that amicus curiae cases must normally involve questions of public law, often with significant implications for the general public and the jurisdiction is one to be sparingly exercised. Hogan J additionally purported that the neutrality of the putative amicus was also a factor to be considered. Hogan J concluded that it would be appropriate in the circumstances to make an order appointing DRI as an amicus. Hogan J held that view in light of the decision of the Court of Justice in Digital Rights Ireland, and was convinced that the DRI could articulate its own distinctive view which may possibly assist the Court in respect of these difficult and troubling questions which are the subject of the reference. In respect of allowing DRI to add additional questions to the proceedings, Hogan J, proposed that the questions would radically alter the nature and scope of the existing proceedings and would require the joinder of a further additional party inducing further additional costs and delay.

SCHREMS v DATA PROTECTION CMSR UNREP HOGAN 18.6.2014 2014 IEHC 310

DATA PROTECTION ACT 1988 S10(1)(B)

DATA PROTECTION ACT 1988 S10(1)(A)

EEC DIR 1995/46 ART 25(6)

DATA PROTECTION ACT 1988 S11(2)(A)

CONSTITUTION ART 40.5

DATA PROTECTION ACT 1988 S11(1)(A)

DATA PROTECTION (AMDT) ACT 2003 S12

EEC DECISION 2000/520 ART 3(1)(B)

CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION ART 7

CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION ART 8

DIGITAL RIGHTS IRL LTD v MIN FOR COMMUNICATIONS & ORS 2014 2 AER (COMM) 1 2014 3 CMLR 44 2014 AER (EC) 775

I (H) v MIN FOR JUSTICE 2003 3 IR 197 2004 1 ILRM 27 2003/27/6454

O'BRIEN v PERSONAL INJURIES ASSESSMENT BOARD (NO 1) 2005 3 IR 328

FITZPATRICK & RYAN v K (F) & AG 2007 2 IR 406 2008 1 ILRM 68 2006/24/4904 2006 IEHC 392

DIGITAL RIGHTS IRL LTD v MIN FOR COMMUNICATIONS & ORS 2010 3 IR 251 2011 1 ILRM 258 2010/12/2777 2010 IEHC 221

TREATY ON THE FUNCTIONING OF THE EUROPEAN UNION ART 267

DOHERTY v SOUTH DUBLIN CO COUNCIL & ORS 2007 1 IR 246 2006 1 ILRM 241 2006/15/3165 2006 IESC 57

EMI RECORDS (IRL) LTD & ORS v UPC COMMUNICATIONS IRL LTD & ORS UNREP KELLY 3.5.2013 2013 IEHC 204

RSC O.60 r1

1

1. This is an application by notice of motion dated 26 th June, 2014, on the part of Digital Rights Ireland Ltd. ("DRI") to be joined to the present judicial review proceedings as amicus curiae. This nature of this application cannot really be fully understood without reference to my earlier judgment which was delivered on 18 th June, 2014, in respect of the substantive proceedings, Schrems v. Data Protection Commissioner [2014] IEHC 310. This judgment should accordingly be read in conjunction with that earlier judgment.

The background to the present proceedings
2

2. In these proceedings the applicant has challenged a decision of the Data Protection Commissioner not to investigate a complaint of his pursuant to s. 10(1)(b) of the Data Protection Act 1988 ("the 1988 Act"). The complaint was lodged following the revelations which a former US security contractor, Edward Snowden, made concerning the manner in which the US security authorities access personal data of non-US citizens on a mass and undifferentiated basis.

3

3. While the complaint was formerly directed at the major social network, Facebook (Ireland) Ltd., the gist of the objection does not really concern Facebook at all. The complaint was rather that in the light of the revelations made from May 2013 onwards by Edward Snowden concerning the activities of the US National Security Agency ("NSA"), there was no meaningful protection in US law and practice in respect of data so transferred to the US so far as State surveillance was concerned.

4

4. By letters dated 25 th and 26 th July, 2013, the Commissioner invoked his power under s. 10(1)(a) of the 1988 Act not to investigate this complaint further on the ground that this complaint was frivolous and vexatious, terms which in this case and in this particular statutory context simply mean that the Commissioner concluded that the claim was unsustainable in law.

5

5. The reason why the Commissioner reached this conclusion was because (i) there was no evidence that Mr. Schrems' personal data had been so accessed by the NSA (or other US security agencies)("the locus standi objection"), so that the complaint was purely hypothetical and speculative and (ii) because the European Commission had determined in its decision of 26 th July 2000 (2000/520/EC)("the Safe Harbour Decision") that the United States "ensures an adequate level of [data] protection" in accordance with Article 25(6) of Directive 95/46/EC ("the 1995 Directive"). The Commissioner noted that the Safe Harbour decision was a "Community finding" for the purposes of s. 11 (2)(a) of the 1988 Act, so that any question of the adequacy of data protection in that third country (in the present case, the United States) where the data is to be transferred was required by Irish law "to be determined in accordance with that finding." As this was the essence of the applicant's complaint - namely, that personal data was being transferred to another third country which did not in practice observe these standards - the Commissioner took the view that this question was foreclosed by the nature of the earlier Safe Harbour Decision.

6

6. In my judgment delivered on 18 th June, 2014, (Schrems v. Data Protection Commissioner [2014] IEHC 310) I rejected the locus standi argument. I also found that mass and indiscriminate surveillance of communications, especially private communications generated within the home, would, as a matter of Irish law, be unconstitutional, having regard to the inter-action of the guarantees of privacy and Article 40.5.'s protection of the inviolability of the dwelling. That concept of inviolability would be wholly compromised if private communications of this kind generally made within the home were thus subjected to routine and undifferentiated surveillance by State agencies.

7

7. Section 11(1)(a) of the 1988 Act precludes the transfer of personal data to third countries, save where that third country "ensures an adequate level of protection for the privacy and the fundamental rights and freedoms" within the meaning of s. 11(1 )(a) of the 1988 Act. I held that, were the matter judged entirely by Irish law, then measured by these constitutional standards and having regard to the (apparently) limited protection given to non-US data subjects by contemporary US law and practice so far as State surveillance is concerned, this would indeed have been a matter which the Commissioner would have been obliged to investigate. It followed, accordingly, that if the matter were to be judged solely by reference to Irish constitutional law standards, the Commissioner could not properly have exercised his s. 10( 1 )(b) powers to conclude in a summary fashion that there was nothing further to investigate.

8

8. The parties were agreed, however, the matter is only partially governed by Irish law and that, in reality, on this key issue of the adequacy of data protection law and practice in third countries, Irish law has been pre-empted by general EU law in this area. This is because s. 11(2)(a) of the 1988 Act (as substituted by s. 12 of the Data Protection (Amendment) Act 2003) effects a renvoi of this wider question in favour of EU law. Specifically, s. 11(2)(a) of the 1988 Act provides that the Commissioner must determine the question of the adequacy of protection in the third State "in accordance" with a Community finding made by the European Commission pursuant to Article 25(6) of the 1995 Directive.

9

9. I then held (at paragraphs 64-70 of the judgment) that:

2

"64. This brings us to the nub of the issue for the Commissioner. He is naturally bound by the terms of the 1995 Directive and by the 2000 Commission Decision. Furthermore, as the 2000 Decision amounts to a "Community finding" regarding the adequacy of data protection in the country to which the data is to be transferred, s. 11(2)(a) of the 1988 Act (as amended) requires that the question of the adequacy of...

To continue reading

Request your trial
5 cases

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT