The ‘Europe v Facebook’ Case: Challenging US Data Surveillance in Europe

Since Edward Snowden’s revelations about the NSA’s extensive spying activities, concerns have grown about the effectiveness of US data protection, particularly for EU citizens who benefit from stronger protections under the Data Protection Directive. One concern is the NSA’s ability to access communications processed by US-based social media companies like Facebook.

The Irish High Court’s recent decision to refer questions in the ‘Europe v Facebook’ case to the Court of Justice of the European Union (CJEU) could potentially lead to the end of NSA access to EU citizens’ data. However, it’s unclear if the CJEU will tackle the core issues directly due to the case’s complexity.

This case revolves around the “Safe Harbor” system, established by a Commission Decision. This system deems data protection “adequate” for all American companies that certify compliance with basic data protection principles. Despite concerns raised by the Snowden revelations, the Commission’s latest report on Safe Harbor didn’t propose dismantling the system.

However, Austrian citizen Mr. Schrems challenged the transfer of his Facebook data under Safe Harbor. He filed a complaint with the Irish data protection authority, chosen because Facebook has a subsidiary in Ireland. The authority argued it was bound by the Commission’s decision and couldn’t act on the “frivolous” complaint.

Mr. Schrems appealed to the Irish High Court, which referred a question to the CJEU. The key question is whether the data protection authority is bound by the Commission’s Decision and if it can conduct its own investigation.

One key question the court didn’t address is whether the US system violates EU data protection law. The court seems to believe it does, citing the CJEU’s recent invalidation of the EU data retention Directive in the Digital Rights case. The judge criticizes mass surveillance, drawing parallels to totalitarian regimes.

The judge also finds the US system lacking adequate safeguards for EU citizens and ignores EU law in its review process.

This analysis raises two fundamental issues: the Data Protection Directive’s scope and its derogations. The CJEU previously ruled in the Passenger Name Records case that the EU-US agreement on airline data transfer fell outside the Directive’s scope because it primarily regulated law enforcement activities, which are exempt. Conversely, the CJEU upheld the data retention directive, ruling that it rightly fell under the EU’s internal market powers as it regulated private industry, even for public security.

While the American law might fall under the first category, the Safe Harbor agreement clearly fits the second. This hybrid situation likely falls under the Directive’s scope as the Safe Harbor agreement is the central issue.

Secondly, the Directive’s external transfer rules don’t explicitly mention public security derogations from data protection rights. However, such derogations likely exist, given the Directive allows them for standard EU rules. Third countries’ security exceptions needn’t be identical to the Directive’s, but a minimum standard must apply. The judge’s reasoning suggests the US rules fall short of this standard.

Since the judge presumes these two issues, the CJEU received no questions about whether the American regime falls under the Directive’s scope or violates the minimum adequacy standards for third states. However, these are crucial points in the post-Snowden US-EU relationship that the CJEU should address.

Another issue is which EU data protection rules apply: the external transfer rules or the stricter standard rules? The court applied the former due to Facebook’s Safe Harbor certification. However, this might be incorrect.

The CJEU’s recent Google Spain judgment applied the standard rules to Google’s search engine because it had an “establishment” in Spain. This suggests that standard rules likely apply to some social networks like Facebook, particularly under the revised jurisdiction and external transfer rules. This is another issue the CJEU should consider.

Another point is how to practically challenge inadequate US data protection, which is the only question referred to the CJEU. Safe Harbor allows national authorities to suspend data transfers to a company if the US government or enforcement system violates the agreement, or if:

• The Principles are likely being violated.
• There’s reason to believe the enforcement mechanism isn’t taking adequate and timely steps.
• Continuing the transfer risks serious harm to data subjects.
• The Member State’s authorities made reasonable efforts to notify the organization and allow a response.

However, Irish law lacks such a system, presuming the Commission’s adequacy decision sufficient. This likely attracted Facebook and other US companies to Ireland.

The challenge argues that the data protection authority must exercise these powers, and the judge asks if this is possible. Logically, there’s only one answer, following the NS judgment: Member States cannot create an irrebuttable presumption hindering Charter rights. Therefore, the authority must possess these powers.

Alternatively, it must be possible to challenge the Commission’s adequacy decision in national courts, which can refer questions to the CJEU (see the Foto-Frost judgment).

Another point is the role of national constitutional human rights protections. The judge believes the American system violates the Irish constitution’s right to privacy. Yet, the court focuses primarily on EU law. If the CJEU rules against the challenge or avoids the merits on procedural grounds, should the national court apply Irish law?

National constitutional law doesn’t apply here because EU law extensively harmonizes this issue. The CJEU’s Melloni judgment states that only EU human rights standards (the Charter) apply, not national ones. However, Irish courts might resist this.

National law would apply only if the CJEU ruled this issue falls entirely outside the Directive’s scope. If it falls within a public security derogation from the Directive, the EU Charter would apply, similar to the Pfleger judgment, where the Charter applied to national derogations from EU free movement law. This is similar to the argument that national data retention laws fall under EU law (following Digital Rights) because they derogate from the e-privacy Directive.

Finally, we must consider the consequences if data transfers under Safe Harbor are suspended for Facebook. Assuming no change in US law, Facebook faces a dilemma: comply with US law or face suspension of data transfers from Europe. It could process EU resident data within the EU, potentially avoiding US law. However, this is costly, and the US might extend its law’s reach. This would impact other US companies too.

Blocking Facebook transfers from the EU would significantly strain EU-US relations, making Google Spain concerns seem minor. The only solution might be for the US to engage more seriously in data protection discussions with the EU, finding a solution that balances security concerns with privacy protection.