Early this year, the Irish High Court again submitted the data transfer between Facebook Europe (headquartered in Ireland) and Facebook USA to the European Court of Justice (ECJ). Following the revelations of Edward Snowden who uncovered the fact that the so-called “PRISM” programme obliged large US corporations to transmit user data to the US government, this has now been the second time that the case was brought forward to the ECJ.
At the first referral to the ECJ, the “Safe Harbor” system being in place by then and allowing European companies to host personal data with US suppliers was declared void. Facebook now invokes another mechanism to transfer data between the European Union and the United States: The so-called “standard contractual clauses” which many companies have been using since the “Safe Harbor” verdict.
The basic problem: US surveillance laws
However, “standard contractual clauses” do not solve the problem of US surveillance laws. 702 FISA for example stipulates that all “Electronic Communication Service Providers” enable the US government to pick up the personal data of any user. This provision only excludes US citizens and persons having a permanent residency in the United States. It is exactly this type of “mass surveillance” without any individual suspicion or judicial control which is in violation of Article 8 of the European Charter of Fundamental Rights and thereby of GDPR.
There is no instrument for EU-US data transfer (such as “Privacy Shield”, the standard contractual clauses or binding corporate rules) that could resolve the conflict between the US surveillance laws and EU fundamental rights.
“Privacy Shield” could also be concerned
The Irish court is also questioning the new EU-US agreement “Privacy Shield” and wishes to know whether the Privacy Shield is of a binding nature to Irish authorities. The ECJ is therefore in the position to check for the first time whether the Privacy Shield is valid or not. At present it is not clear if the ECJ will actually do so. In the end, much will depend on how generously or strictly the ECJ will answer the questions of the Irish court.
Negotiations at the beginning of the year 2019, decision by the middle of the year 2019
The further schedule can roughly be outlined. In the summer of 2018, all parties submitted their opinions with the ECJ. The opinions will soon be available in their translated versions. Oral hearings are expected for the beginning of the year 2019 – with a judgement to be followed by the middle of the year 2019. Similarly to Safe Harbor, the judgement may lead to the retroactive illegality of the respective data transfers to the United States. It will therefore be wise to keep an eye on these proceedings and take precautionary measures in time should this become necessary.