Schrems -v- Data Protection Commissioner (No.2), [2014] IEHC 351 (2014)

Docket Number:[2013 765 JR
Party Name:Schrems, Data Protection Commissioner (No.2)
Judge:Hogan J.

THE HIGH COURT[2013 No. 765JR]BETWEEN/MAXIMILLIAN SCHREMSAPPLICANTANDDATA PROTECTION COMMISSIONER (No.2)RESPONDENTJUDGMENT of Mr. Justice Gerard Hogan delivered on the 16thJuly, 2014 1. This is an application by notice of motion dated 26th June, 2014, on the part of Digital Rights Ireland Ltd. (“DRI”) to be joined to the present judicial review proceedings as amicus curiae. This nature of this application cannot really be fully understood without reference to my earlier judgment which was delivered on 18th June, 2014, in respect of the substantive proceedings, Schrems v. Data Protection Commissioner [2014] IEHC 310. This judgment should accordingly be read in conjunction with that earlier judgment.The background to the present proceedings2. In these proceedings the applicant has challenged a decision of the Data Protection Commissioner not to investigate a complaint of his pursuant to s. 10(1)(b) of the Data Protection Act 1988 (“the 1988 Act”). The complaint was lodged following the revelations which a former US security contractor, Edward Snowden, made concerning the manner in which the US security authorities access personal data of non-US citizens on a mass and undifferentiated basis.3. While the complaint was formerly directed at the major social network, Facebook (Ireland) Ltd., the gist of the objection does not really concern Facebook at all. The complaint was rather that in the light of the revelations made from May, 2013 onwards by Edward Snowden concerning the activities of the US National Security Agency (“NSA”), there was no meaningful protection in US law and practice in respect of data so transferred to the US so far as State surveillance was concerned.4. By letters dated 25th and 26th July, 2013, the Commissioner invoked his power under s. 10(1)(a) of the 1988 Act not to investigate this complaint further on the ground that this complaint was frivolous and vexatious, terms which in this case and in this particular statutory context simply mean that the Commissioner concluded that the claim was unsustainable in law.5. The reason why the Commissioner reached this conclusion was because (i) there was no evidence that Mr. Schrems’ personal data had been so accessed by the NSA (or other US security agencies)(“the locus standi objection”), so that the complaint was purely hypothetical and speculative and (ii) because the European Commission had determined in its decision of 26th July 2000 (2000/520/EC)(“the Safe Harbour Decision”) that the United States “ensures an adequate level of [data] protection” in accordance with Article 25(6) of Directive 95/46/EC (“the 1995 Directive”). The Commissioner noted that the Safe Harbour decision was a “Community finding” for the purposes of s. 11(2)(a) of the 1988 Act, so that any question of the adequacy of data protection in that third country (in the present case, the United States) where the data is to be transferred was required by Irish law “to be determined in accordance with that finding.” As this was the essence of the applicant’s complaint – namely, that personal data was being transferred to another third country which did not in practice observe these standards – the Commissioner took the view that this question was foreclosed by the nature of the earlier Safe Harbour Decision.6. In my judgment delivered on 18th June, 2014, (Schrems v. Data Protection Commissioner [2014] IEHC 310) I rejected the locus standi argument. I also found that mass and indiscriminate surveillance of communications, especially private communications generated within the home, would, as a matter of Irish law, be unconstitutional, having regard to the inter-action of the guarantees of privacy and Article 40.5.’s protection of the inviolability of the dwelling. That concept of inviolability would be wholly compromised if private communications of this kind generally made within the home were thus subjected to routine and undifferentiated surveillance by State agencies.7. Section 11(1)(a) of the 1988 Act precludes the transfer of personal data to third countries, save where that third country “ensures an adequate level of protection for the privacy and the fundamental rights and freedoms” within the meaning of s. 11(1)(a) of the 1988 Act. I held that, were the matter judged entirely by Irish law, then measured by these constitutional standards and having regard to the (apparently) limited protection given to non-US data subjects by contemporary US law and practice so far as State surveillance is concerned, this would indeed have been a matter which the Commissioner would have been obliged to investigate. It followed, accordingly, that if the matter were to be judged solely by reference to Irish constitutional law standards, the Commissioner could not properly have exercised his s. 10(1)(b) powers to conclude in a summary fashion that there was nothing further to investigate.8. The parties were agreed, however, the matter is only partially governed by Irish law and that, in reality, on this key issue of the adequacy of data protection law and practice in third countries, Irish law has been pre-empted by general EU law in this area. This is because s. 11(2)(a) of the 1988 Act (as substituted by s. 12 of the Data Protection (Amendment) Act 2003) effects a renvoi of this wider question in favour of EU law. Specifically, s. 11(2)(a) of the 1988 Act provides that the Commissioner must determine the question of the adequacy of protection in the third State “in accordance” with a Community finding made by the European Commission pursuant to Article 25(6) of the 1995 Directive.9. I then held (at paragraphs 64-70 of the judgment) that:“64. This brings us to the nub of the issue for the Commissioner. He is naturally bound by the terms of the 1995 Directive and by the 2000 Commission Decision. Furthermore, as the 2000 Decision amounts to a “Community finding” regarding the adequacy of data protection in the country to which the data is to be transferred, s. 11(2)(a) of the 1988 Act (as amended) requires that the question of the adequacy of data protection in the country where the data is to be so transferred “shall be determined in accordance with that finding.” In this respect, s. 11(2)(a) of the 1988 Act faithfully follows the provisions of Article 25(6) of the 1995 Directive.65. All of this means that the Commissioner cannot arrive at a finding inconsistent with that Community finding, so that if, for example, the Community finding is to the effect that a particular third party state has adequate and effective data protection laws, the Commissioner cannot conclude to the contrary. The Community finding in question was, as we have already seen, to the effect that the US does provide adequate data protection for data subjects in respect of data...

To continue reading