Maximillian Schrems v Data Protection Commissioner

• Jurisdiction: Ireland
• Judge: Mr. Justice Hogan
• Judgment Date: 18 June 2014
• Neutral Citation: [2014] IEHC 310
• Court: High Court
• Docket Number: [2013 No. 765 JR]
• Date: 18 June 2014

Schrems v Data Protection Cmsr

BETWEEN/

MAXIMILLIAN SCHREMS

APPLICANT

AND

DATA PROTECTION COMMISSIONER

RESPONDENTS

[2014] IEHC 310

[No. 765JR/2013]

THE HIGH COURT

Business – Judicial Review Application – Data Protection – Disclosure of Information – Facebook – Privacy – Constitutional Standards – Interception of Communications – Rights and Responsibilities

Facts: In 2013 a computer systems administrator, Edward Snowden, who worked for the US National Security Agency unlawfully appropriated thousands of highly classified NSA files which, when disclosed by him following his arrival in Hong Kong to media outlets such as The Guardian (in the UK) and the New York Times and the Washington Post (in the US), revealed the interception and surveillance of internet and telecommunications systems by the NSA on a massive, global scale. The applicant maintained that the Snowden disclosures demonstrated that there was no effective data protection regime in the United States and that the respondent Data Protection Commissioner ('the Commissioner') should have exercised his statutory powers to direct that the transfer of personal data from Facebook Ireland to its parent company in the United States should cease. The Commissioner for his part maintained that he was bound by the terms of a finding of the European Commission in July 2000 to hold that the data protection regime in the United States was adequate and effective where the companies which transfer or process the data to the United States self-certify that they complied with the principles set down in this Commission decision. The European Commission decision of July 2000 sets up a regime known as the Safe Harbour regime and one of the many issues which arose in these proceedings was whether the Safe Harbour principles where effective and functional some fourteen years after that decision and finding. The Commissioner concluded that the applicant"s complaint is unsustainable in law, because the Safe Harbour regime gives the imprimatur to such data transfers on the basis that the European Commission concluded that the US does, in fact, provide for adequate data protection. The applicant maintained in turn that this decision of the Commissioner was unlawful.

Held by Justice Hogan, firstly that the applicant"s complaints were not 'frivolous or vexatious' in the ordinary sense of these words. However, used in the context of s. 10(1)(b)(i) of the 1988 Act, these terms were deemed to mean no more than that the Commissioner has concluded that the complaint was unsustainable in law. Secondly, it was determined that the applicant enjoyed locus standi to bring the complaint and to bring these proceedings. It was further stated that it was irrelevant that the applicant could not show that his own personal data had been accessed by the NSA, since what mattered was the essential inviolability of the personal data itself. The essence of that right it was stated would be compromised if the data subject had reason to believe that it could be routinely accessed by security authorities on a mass and undifferentiated basis. Third, it was reasoned that the evidence suggested that personal data subjects where routinely accessed on a mass and undifferentiated basis by the US security authorities. Fourthly, so far as Irish law was concerned, the court determined that s. 11(1)(a) of the 1988 Act forbid the transfer of personal data to a third country unless it was clear that that jurisdiction respected and protected the privacy and fundamental freedoms of the data subjects. Fifthly, the chief constitutional protections where identified as those pertaining to personal privacy and the inviolability of the dwelling. In applying Article 40.5 of the Constitution, it was stated that these protections would be compromised by the mass and undifferentiated surveillance by State authorities of conversations and communications which take place within the home. Thus, for such interception of communications to be constitutionally valid, it would, according to Justice Hogan, be necessary to demonstrate that that interception and surveillance of individuals or groups of individuals was objectively justified in the interests of the suppression of crime and national security and, further, that any such interception was attended by appropriate and verifiable safeguards. Sixthly, if the matter were to be measured solely by Irish law and Irish constitutional standards, then a serious issue, according to Justice Hogan, would arise which the Commissioner would then have been required to investigate as to whether US law and practice in relation to data privacy, interception and surveillance matched established constitutional standards. Seventh, Justice Hogan stated that Irish law had been effectively pre-empted by EU law and specifically by the provisions of the 1995 Directive and the 2000 Decision establishing the Safe Harbour regime. Thus, he was of the opinion that with the July 2000 Decision the European Commission found that US data protection law and practice was sufficient to safeguard the rights of European data subjects and it was clear from Article 25(6) of the 1995 Directive that national data protection authorities must comply with findings of this nature. Eight, it followed that, if the Commissioner could not look beyond the European Commission"s Safe Harbour Decision of July 2000, then it was clear that the present application for judicial review would fail. Justice Hogan stated that this was because the Commission had already decided that the US provided an adequate level of data protection and that, s. 11(2)(a) of the 1998 Act tied the Commissioner to the Commission"s finding. In those circumstances, any complaint to the Commissioner concerning the transfer of personal data by Facebook Ireland (or, indeed, Facebook) to the US on the ground that US data protection was inadequate would be doomed to fail. Ninthly, Justice Hogan further determined that while the applicant maintained that the Commissioner had not adhered to the requirements of EU law in holding that the complaint was unsustainable in law, the opposite was, in fact, in truth the case. The Commissioner had instead demonstrated scrupulous steadfastness to the letter of the 1995 Directive and the 2000 Decision. Tenthly, the applicant"s objection was to the terms of the Safe Harbour Regime rather than to the manner in which the Commissioner had actually applied the Safe Harbour Regime, although neither the validity of the 1995 Directive nor the validity of the Commission"s Safe Harbour decision had, as such, been challenged in the proceedings. Finally, Justice Hogan concluded that under the circumstances the critical issue which arose was whether the proper interpretation of the 1995 Directive and the 2000 Commission decision should have been re-evaluated in light of the subsequent entry into force of Article 8 of the Charter and whether, as a consequence, the Commissioner could look beyond or otherwise disregard that Community finding. For all of the above reasons, Justice Hogan decided to refer this question (and other linked questions) to the Court of Justice pursuant to Article 267 TFEU.

R (ON THE APPLICATION OF MIRANDA) v SECRETARY OF STATE FOR THE HOME DEPT 2014 3 AER 447 2014 1 WLR 3140 2014 HRLR 9 2014 EWHC 255 (ADMIN)

DATA PROTECTION ACT 1988 S2

DATA PROTECTION ACT 1988 S9

DATA PROTECTION ACT 1988 S11(1)

DATA PROTECTION ACT 1988 S11(2)

DATA PROTECTION ACT 1988 S11(2)(A)

DATA PROTECTION ACT 1988 S11(2)(B)

DATA PROTECTION ACT 1988 S1(1)

EEC DIR 46/1995 ART 25(6)

EEC DEC 520/2000 ART 1(2)

EEC DEC 520/2000 ART 1(3)

EEC DEC 520/2000 ART 3

DATA PROTECTION ACT 1988 S10(1)(B)

DATA PROTECTION ACT 1988 S10(1)

NOVAK v DATA PROTECTION CMSR 2013 1 ILRM 207 2012/34/10011 2012 IEHC 449

DATA PROTECTION ACT 1988 S26(1)(D)

DATA PROTECTION ACT 1988 S10(1)(B)(I)

CONSTITUTION ART 40.5

INTERCEPTION OF POSTAL PACKETS & TELECOMMUNICATIONS MESSAGES (REGULATION) ACT 1993 S6

DIGITAL RIGHTS IRELAND LTD v MINISTER FOR COMMUNICATIONS, MARINE & NATURAL RESOURCES 2014 IP & T 622 2014 2 AER (COMM) 1 2014 AER (EC) 775 2014 AER (D) 66 (APR) (CASE C-293/12)

EEC DIR 24/2006 ART 5(1)

EEC DIR 46/1995

EEC DIR 58/2002

RECHNUNGSHOF v OSTERREICHISCHER RUNDFUNK & ORS 2003 3 CMLR 10 2003 ECR I-4989

EEC DIR 24/2006 ART 3

EEC DIR 24/2006 ART 6

EEC DIR 24/2006 ART 5

CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION ART 7

EEC DIR 24/2006 ART 4

EEC DIR 24/2006 ART 8

KENNEDY v IRELAND 1987 IR 587

DPP v DILLON 2002 4 IR 501 2003 1 ILRM 531 2002/9/1993

IDAH v DPP UNREP CCA 23.1.2013 2014 IECCA 3

CONSTITUTION ART 5

WICKLOW CO COUNCIL v FORTUNE UNREP HOGAN 4.10.2012 2012/46/13830 2012 IEHC 406

DPP v O'BRIEN UNREP CCA 2.7.2012 2012/13/83672 2012 IECCA 68

DATA PROTECTION (AMDT) ACT 2003 S12

EEC DIR 46/1995 ART 25

CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION ART 51(1)

R (ON THE APPLICATION OF NS) v SECRETARY OF STATE FOR THE HOME DEPT 2013 QB 102 2012 3 WLR 1374 2012 2 CMLR 9 2012 AER (EC) 1011 (CASE C-411/10 CASE C-493/10)

EEC DIR 24/2006 ART 4(1)

EEC DIR 46/1995 ART 17(1)

I

1 1. In May, 2013 a computer systems administrator named Edward Snowden - who up to that point had been working for the international consulting firm Booz Allen Hamilton - caused a sensation following his arrival in Hong Kong. Mr. Snowden's firm had been contracted to work for the US National Security Agency ("NSA"). In the course of that employment Mr. Snowden unlawfully appropriated thousands of highly classified NSA files which, when disclosed by him following his arrival in Hong Kong to media outlets such as The Guardian (in the UK) and the New York Times and the Washington Post (in the US), revealed the interception and surveillance of internet and telecommunications systems by the NSA on a massive, global...