Irish DPC gets go ahead in latest chapter of the saga of Max Schrems and Facebook

The case relates to the lawfulness of transfers of personal data by FBI to Facebook in the US. In August last year, following the Schrems II decision by the CJEU, the DPC issued a Preliminary Draft Decision (PDD) to FBI, to which FBI was invited to respond, but which, if translated into a final decision, would require FBI to suspend its transfers to the US. FBI took exception to the issuing of the PDD on several grounds relating to unfairness including procedural unfairness and instigated judicial review proceedings against the DPC with a consequential stay on the DPC’s “own-volition” inquiry. The case was heard by the Irish High Court in December.

Although not entirely uncritical of the DPC, the judgment accepts the validity of the approach adopted by the DPC in its investigation of FBI’s data transfers. The Court did agree with FBI that the issuing of the PDD and the surrounding procedures were open to judicial review and therefore went on to consider, in some depth, each of the grounds of challenge advanced by FBI. In the course of proceedings, FBI dropped two of these grounds. The remaining grounds were all rejected by the Court, the overall conclusion being that FBI had not established any basis for calling into question the validity of the DPC’s processes. It is reported that on 20 May and with consent of the parties, the Irish High Court formally lifted the stay on the DPC’s “own-volition” inquiry. FBI will still have the opportunity to respond to this PDD but, unless it can now satisfy the DPC as to the safeguards in place for its international transfers to the US, it seems likely that, following the application of the GDPR’s cooperation and consistency mechanism, FBI will be ordered to suspend these transfers.

The High Court judgment is lengthy and detailed, running to nearly 200 pages. For the most part it addresses procedural points which, given that that the findings went against FBI, are unlikely to be particularly instructive for other businesses. The picture is also made more complex by the involvement of Max Schrems himself as a participant in the hearing and by his own application for judicial review against the DPC. This application was settled between the date of the High Court hearing and the date of the delivery of its judgment and is referred to in the judgment. There is thus little to be gained from an in depth analysis of all aspects of the judgment. It might nevertheless be of value to recap just where we are now, and how we have arrived there, in the long running saga of Max Schrems and his challenges to FBI’s international data transfers. Some high level insights can also be drawn about the conduct of major investigations by data protection authorities which might be instructive. Finally, there remains an open question as to where this now leaves other businesses that are continuing to transfer personal data to the US on the basis of the European Commission’s Standard Contractual Clauses (SCCs).

The saga of Max Schrems and Facebook

There have been many twists and turns in the long running saga of Max Schrems and Facebook, not least of which are the Schrems I and Schrems II rulings by the Court of Justice of the European Union (CJEU). Readers might therefore welcome a quick and necessarily abridged summary of the various chapters in the saga that that have led us up to the most recent judgment of the Irish High Court, particularly as the judgment itself has cast further light on some elements of this saga.

• It was as long ago as 2013 that Max Schrems made his first complaint to the DPC that the transfer of his personal data by FBI to Facebook in the US was unlawful because the US did not ensure adequate protection for the transferred data. At that time Facebook’s transfers were based, at least partly, on the US Safe Harbor provisions.

• The DPC declined to investigate this complaint on the grounds that the European Commission had adopted a Decision finding that the US Safe Harbor did ensure an adequate level of protection for transferred data. In the DPC’s view the Commission’s Decision did not leave any scope for it to determine differently.

• Max Schrems challenged the DPC in the Irish High Court in October 2013. This led to a reference to the CJEU and ultimately, in October 2015, to the Schrems I ruling. In that ruling the CJEU quashed the Commission’s Decision meaning that the US Safe Harbor could no longer be relied on as providing a legal basis for transfers of personal to the US.

• Max Schrems then reformulated his complaint to the DPC in the light of the Schrems I ruling. Although, apparently, not known by Mr Schrems at the time FBI had identified three legal bases for ongoing transfers to the US. These were standard contractual clauses (SCCs), transfers with the consent of the data subject and transfers under the contractual necessity derogation in the then Directive.

• In May 2016, the DPC issued a draft decision stating that the DPC had formed the view on a “preliminary basis” that Max Schrems’s contention that the SCCs could not be relied on was well founded. However, in the DPC’s view, questions as to the validity of the SCCs could only be determined by the CJEU, not by the DPC, or by national courts.

• The DPC therefore immediately commenced further proceedings in the Irish High Court seeking a reference to the CJEU. Following an unsuccessful appeal by FBI against the High Court’s decision to refer a range of questions to the CJEU these proceedings led ultimately to the CJEU’s Schrems II ruling in July 2020.

• It is worth noting that in the meantime the European Commission had adopted a Decision that the Privacy Shield, as a replacement for the Safe Harbor, now ensured an adequate level of protection for personal data transferred from the EU to the US. Furthermore the GDPR had replaced the former Data Protection Directive, coming into force in May 2018.

• The Schrems II ruling established that, although the SCCs remained valid, a data exporter in the EU making use of them is nevertheless required to verify, on a case by case basis, and taking into account their terms, whether the law and practice in the destination country ensures essentially equivalent protection for any transferred data . At particular issue was the ability of public authorities in the destination country to conduct surveillance on the transferred data. If the data exporter is not, as far as is necessary, able to put in place sufficient supplementary measures to guarantee essentially equivalent protection the data exporter, or, failing that, the relevant data protection authority, is required to suspend or end the transfers. In the ruling, the CJEU also went on to quash the Commission’s Decision on the Privacy Shield.

• In August 2020, at the end of the month following the CJEU’s ruling, the DPC wrote to FBI enclosing the PDD that was subsequently the subject of the FBI’s judicial review application. This gave FBI 21 days to respond and stated that the DPC was now undertaking an “own-volition” inquiry into FBI’s data transfers after which it would return to Max Schrems’ original, reformulated complaint. However Max Schrems appears to have taken exception to his apparent exclusion from proceedings and submitted his own application to the Irish High Court for judicial review of the DPC’s approach. Settlement was subsequently reached between the DPC and Max Schrems on this judicial review application in which the DPC agreed, upon the Court’s lifting of the stay of its investigation, to progress the handling of Max Schrems complaint and its “own-volition” inquiry as expeditiously as possible.

Some high level insights

The High Court judgment will undoubtedly be welcome news for the embattled Irish Data Protection Commissioner, Helen Dixon. She has come under fire from many sides, including the European Parliament’s LIBE Committee, for what is perceived to be a reluctance to take sufficiently strong enforcement action against major tech companies that have their European headquarters in Ireland and for her office’s long processing times. The LIBE Committee even expressed disappointment with her decision to initiate the Schrems II case rather than independently triggering enforcement action against FBI. Furthermore, the Committee has called on the European Commission to launch infringement proceedings against Ireland for a failure to enforce the GDPR effectively. Against this background, the judicial review case makes clear that DPC was right to have proceeded cautiously.

When faced with enforcement action that seeks to significantly restrict their business models or when faced with multi-million euro fines businesses will understandably look for legitimate avenues to challenge the actions of data protection authorities, whether through more conventional appeals against sanctions or by means of judicial review. Any data protection authority needs to have a defensible position that it can put before the courts when challenged. The DPC has survived an examination by the Irish High Court and there can be no denying that it was a comprehensive and searching examination. Had the DPC been found to have jumped to conclusions without a thorough investigation, not to have been offering FBI a proper opportunity to state its case, otherwise followed procedures that were unfair to any of the parties involved or had not been sufficiently transparent about those procedures it would almost certainly have come a cropper. Ensuring the necessary procedural fairness requires time and effort by a data protection authority whatever the political pressures on it might be.

The High Court did though recognise that there has to be some flexibility. A data protection authority can legitimately be expected to continue a well-established practice of following a particular procedure but, provided that it stays within the law, it does not have to do so religiously. It can adapt its approach to the circumstances of particular cases. It is just that any procedural variation by the data protection authority has to be based on objective reasons and must not create unfairness or be unjust to the party under investigation.

The DPC did not entirely escape criticism though. The High Court judge, whist finding in favour of the DPC in relation to an allegation of premature judgment, suggested that it might have been wiser for the Commissioner, Helen Dixon, to have been more circumspect in remarks she made in a conference address to the effect that the Schrems II ruling by the CJEU had given her no room for manoeuvre in relation to EU-US data transfers. Again, whilst finding in favour of the DPC in relation to an allegation of a failure to respect the duty of candour, the judge expressed some misgivings about the DPC’s failure to respond more fully to requests for information from FBI and suggested that it had acted in an overly defensive manner. The Judge was actually at his most critical in relation to an allegation by the DPC that FBI’s issuing of its proceedings amounted to an abuse of process and had been done for an improper purpose, that of buying time. Here the Judge said that this was a serious allegation, that there was no basis for it and that it ought never to have been made.

Data protection commissioners have a difficult path to steer. On the one hand they operate in an increasingly political environment and are expected to be champions of privacy and of data subject rights. On the other hand, when considering sanctions, they carry out quasi-judicial functions and have to act, and be seen to act fairly and without bias. The High Court judgment confirms that Helen Dixon has managed to keep to the straight and narrow so far in the case in question but the same might not have been true had she conceded more ground to her critics. What is clear though is the extent to which commissioners, when acting in their quasi-judicial capacity, can now be held accountable to the courts, and the extent to which affected businesses may be willing to exercise their rights to give effect to this accountability. As the UK Commissioner, Elizabeth Denham was also reminded of when seeking to defend the ICO’s imposition of a fine on Facebook in the wake of the Cambridge Analytica scandal, commissioners need to be very careful not to risk giving any appearance of rushing to premature judgment, to stick to their published procedures unless there are objective and fair reasons for departing from these and not to otherwise risk bringing unfairness or injustice into their deliberations whatever the wider pressures on them might be.

Where does this leave businesses?

It is clear from the judgment that the DPC’s preliminary view, as set out in its PDD, was that;

• US law does not provide a level of protection that is essentially equivalent to that provided by EU law;

• SCCs cannot compensate for the inadequate protection provided by US law;

• FBI does not appear to have in place any supplemental measures which would compensate for the inadequate protection provided by US law.

It will now be open to FBI to make representations to the DPC on these points before the DPC moves to a draft decision that it will then submit to the GDPR’s cooperation and consistency mechanism. On the basis of the information presented to the High Court amongst the arguments that FBI may consider are the following:

• US law and practice is now different from that examined in the Schrems II case and provides an increased level of protection;

• SCCs are no longer the transfer mechanism relied on by FBI and it now relies on other GDPR provisions, perhaps the Art 49 derogation for contractual necessity or even consent;

• FBI has now, particularly given the time that has elapsed, been able put in place supplemental measure which compensate for the inadequate protection provided by US law and practice.

Any of these will be challenging for FBI but it is the question of supplemental measures that is likely to attract most interest from other businesses. Here it needs to be borne in mind that Facebook Inc in the US qualifies as an electronic communications service provider and can therefore be ordered to make transferred data about specified non-US persons in its stored communications directly available to US public authorities. It is not just liable to have its communications to and from the EU intercepted in transit by such authorities. Although, in an effort to be helpful, the EDPB has produced recommendations on supplemental measures that can be adopted to enhance the SCCs, there remains a question in relation to EU-US transfers as to how to sufficiently compensate for the inadequate protection provided by US law in practice.

Other business will look on with interest at what, if any, supplemental measures have been put in place by FBI, and how far these supplemental measures go in satisfying the concerns of not just the DPC but also the other affected EU data protection authorities that take part in the GDPR cooperation and consistency mechanism. Businesses might though have to wait for some time. It looks as though FBI will have 21 days to respond to the PDD but this could well be extended. The DPC will then have to prepare its draft decision and submit this to the cooperation and consistency mechanism, which may involve the need for an EDPB opinion. This is unlikely to result in a quick outcome, despite the time limits in the GDPR likely taking a period of several months. As happened in the recent Twitter case, the other affected data protection authorities may not agree with the DPC’s conclusions and may call for even more stringent measures against FBI, perhaps including a fine as well as the suspension or ending of transfers.

On completion of the cooperation and consistency procedure, the DPC will then have to issue its final decision. This could in turn be subject to appeal by FBI. In the meantime, we are likely to see new and updated SCCs being adopted and issued by the European Commission. These may then be used by FBI in place of its existing SCCs and may go at least some way towards ensuring the necessary level of protection for transferred data. The situation thus remains complex with an uncertain future. There are several more chapters yet to come before the saga of Max Schrems and Facebook draws to a close.