The ongoing case; C-311/18 Facebook Ireland and Schrems is a very interesting one in regard to data privacy and mass surveillance when data is being transferred from the EU to the US. In this blog post we will look more into it and explain the most important aspects of it. Since it is a case of preliminary ruling, we will start with explaining what that procedure entails and the role of the Court of Justice of the European Union (CJEU) within the Union.
The role of the CJEU
The CJEU is actually a combination of different courts. It has different chambers, including the Grand Chamber (for important cases) and are assisted by Advocate Generals who give opinions suggesting how the court should judge in different cases. If the case is not that big or “groundbreaking” the opinion from an Advocate General is usually not needed.
The CJEU have different tasks. Generally, there are three ways the CJEU can make precedents:
1. The CJEU can judge in cases when a national court has referred a question of interpretation of EU law to the court, which is the preliminary reference procedure, based on article 267 Treaty on the Functioning of the EU (TFEU).
2. The court also judge in cases brought directly in front of it which is called judicial review/action for annulment, based on article 263 TFEU. The judicial review is a direct action and the preliminary reference procedure is an indirect action. This constitutes that you as an applicant only can use the preliminary reference procedure (indirect action) if you do not have a clear standing based on the judicial review (direct action).
3. The CJEU also judge in cases regarding state liability, based on article 258 TFEU, and this concerns cases when a Member State of the union is not complying with EU law. It can either be based on the fact that the Commission “policed” EU law, figuring out that a Member State is not complying with EU law, or that another Member State is looking into the actions of the Member State, arguing for that it does not comply with EU law (article 259 TFEU).
So, the CJEU is judging in cases regarding EU law, either in regard to interpretation of it, or validation of it. Therefor the case-law from the CJEU is really important as a source of EU law, in for example understanding the provisions within the Treaties, regulations or directives. The importance of the case-law from the court can be explained by the fact that the EU legal order is a mix between common law and civil law systems.
Preliminary ruling/reference procedure
As stated above, the preliminary reference procedure based on article 267 TFEU, is one of the three main ways of providing cases to the CJEU and is therefore an important base for interpretation of EU law. But when can a national court use this procedure? And can all of them do it or just the last instance within the national system?
National courts can use the preliminary reference procedure when a question of EU law is important for the national case in question. The courts within the national system who are adjudicating at the last instance must refer such a question to the CJEU. But there are some exceptions to this based on case-law from the CJEU that fall under the so called “Act Claire”. Meaning, that national courts do not have to refer a question of preliminary ruling to the CJEU if;
- the question is already subject to preliminary ruling (Case Da Costa),
- the question is irrelevant, the community provision has already been interpreted by the court or the correct application of EU law is so obvious as to leave no scope of any reasonable doubt (Case Cilfit).
But what about the courts adjudicating at lower instances? They can, but do not have to, refer a question of preliminary ruling to the CJEU. This is good because then you are not forced to exhaust the national system in order to get a preliminary ruling from the CJEU. It makes the system more efficient, which is an important principle within the EU.
C-311/18 Facebook Ireland and Schrems
The original complaint was made by Max Schrems against Facebook in 2013. The complaint was based on the disclosure by Edward Snowden that Facebook provides access to personal data of Europeans to the US Intelligent Service, and the complaint seeks (also in the present case) therefore to stop the transfer of personal data from the EU to the US in this regard. The case therefore concerns the protection of fundamental rights of EU citizens.
Since Facebook has its main establishment within EU in Ireland, the national Data Protection Authority involved is the Irish Data Protection Commissioner (DPC). The DPC initially rejected the case, but after judicial review in Ireland and a preliminary reference to the CJEU the DPC had to investigate it. In the same case the CJEU in 2015 (C-362/14) ruled that the former “Safe-Harbor” agreement was invalid and that transfer of data from the EU to the US could not be based on this.
Further on, the DPC, after investigating Facebook Ireland, came to the conclusion that their transfer of personal data was never based on the “Safe-Harbor” system, but instead on “Standard Contractual Clauses” (SCC). If you want to know more about these two systems, take a look at our previous blog post. Schrems further on adapted his complaint to this, and therefore the transfer of personal data based on SCC from the EU to the Facebook US is what is being questioned. The DPC filed a lawsuit against Facebook and Schrems at the Irish High Court in 2016 and in 2018 the Irish High Court referred 11 questions based on the preliminary reference procedure to the CJEU, since the court found that the US Government is involved in mass processing of Europeans personal data.
One of the questions from the national court referred to CJEU is if the transfer of personal data based on SCC is violating article 7 (right to privacy) and/or article 8 (right to protection of personal data) of the Charter of Fundamental Rights (CFR). Another question is if the level of protection afforded by the US respect the essence of the right to judicial remedy for breach of the individuals data privacy rights guaranteed by article 47 CFR. If the answer to this question is yes, the follow up question is if the derogation from the protection in article 47 in the context of US national Security is proportionate in accordance with article 52 CFR.
The two last mentioned questions above are therefore referring to an essence test and proportionality assessment, that the CJEU makes to see if the limitation of the fundamental rights were not too far reaching. It will be interesting to see what the CJEU has to say in this regard! If you would like to see all the questions referred to the CJEU you can find them here.
So, where are we now?
Now the case is listed under C-311/18, and there was a second hearing the 9th of July. The hearing was an eight hours oral argumentation. The judgment is expected before the end of this year, and in December the Advocate General in the case; Henrik Saugmandsgaard Øe said he will give his non-binding opinion. After the judgment, when the case is referred back to the national court, the DPC will eventually have to make a decision on the complaint.
Further questions?
We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email info@gdprhero.se or phone 046 – 273 17 17. You can also book a demonstration of GDPR Hero here.