The judges in Luxembourg are expected to issue a final decision in early 2020 | Julien Warnand/EPA Ireland’s privacy regulator under fire in EU top court A hearing about data transfers turned into a gripe fest about Ireland’s data protection authority, which declined to rule on the matter back in 2013.

LUXEMBOURG — Ireland’s data protection authority came under fire during a hearing at the Court of Justice of the European Union on Tuesday over its refusal to take a decision on whether Facebook could transfer the personal data of Europeans to the United States.

EU institutions, national governments and industry groups joined Austrian privacy activist Max Schrems and even the Irish government in lining up to criticize the Dublin-based regulator, which had deferred the matter to Ireland’s highest court.

“The Data Protection Commissioner has the necessary power to suspend or prohibit data flows,” a representative for the Irish government said, referring to Facebook’s data transfers to the U.S., which were the subject of a complaint brought by Schrems in 2013. “We acknowledge the difficulty of the task, but it should not mean all standard contractual clauses should be deemed invalid.”

Instead of deciding on the case, the Irish Data Protection Commission (DPC) asked its country’s national courts to determine whether so-called standard contractual clauses — complex legal mechanisms that allow thousands of companies to move data from Europe to the U.S., Asia and elsewhere — were valid.

The Irish High Court then referred the case to the Court of Justice of the European Union (CJEU), which now has to assess whether they violate Europeans’ fundamental right to privacy, leading to Tuesday’s hearing.

In his original complaint, Schrems sought to get Facebook to stop sending Europeans’ personal data to the United States on the basis that it would be subject to surveillance from intelligence bodies such as the National Security Agency.

“When data is transferred by Facebook to the U.S., the protection is weakened by U.S. law. That is true with any transfer mechanisms, including the Privacy Shield. It’s systemic,” his lawyer told a packed room in Luxembourg, where the European Court is based.

The Privacy Shield is a transatlantic data flow agreement allowing companies to transfer European personal data from the EU to the U.S. It replaces the Safe Harbor, which was struck down by the CJEU in late 2015.

Data shutdown fears

Schrems’ complaint focuses squarely on Facebook and the so-called standard contractual clauses it used to transfer personal data to the United States.

But the judges in Luxembourg, whose final decision is expected in early 2020, could make a ruling on the validity of standard contractual clauses in general.

Companies worry that a ruling to invalidate the clauses could turn off data transfers from Europe to the U.S. overnight and affect flows to other parts of the world such as Asia and South America.

“The effect [of an invalidation of standard contractual clauses] on trade would be immense and would have World Trade Organization implications for the EU,” Facebook’s lawyer told the court. “There is no evidence that Facebook’s transfers are under any particular risks.”

Facebook, which tried unsuccessfully to block the case from being referred to the CJEU, argued the company does not comply with all data access requests made by the U.S. government: “The level of request [by government agencies] is very small compared to the data Facebook has, and Facebook carefully scrutinizes those requests for legal validity.”

Both the tech giant and the U.S. government made the argument that ruling on a foreign surveillance regime is not within the court's scope. Europe's sweeping privacy reform — the GDPR — does not give the EU the mandate to "conduct a worldwide enquiry" of surveillance regimes across the world, a representative for the U.S. government said.

Meanwhile, the Irish regulator argued that the European court should invalidate standard contractual clauses because they do not offer sufficient remedies for users whose data has been collected by U.S. intelligence agencies.

Ganging up against the DPC

Schrems had originally complained to Ireland’s DPC, which is in charge of Facebook, given the location of the company’s European headquarters in Dublin.

The regulator questioned the validity of standard contractual clauses in general, and the High Court asked the CJEU to rule on the compliance of such mechanisms in general with the Charter of Fundamental Rights.

But the Austrian activist did not want to question the validity of all standard contractual clauses.

“We agree with the DPC [on U.S. surveillance], but not on the radical solution. The solution is not for the court to invalidate standard contractual clauses but for the Data Protection Commissioner to enforce them,” his lawyer said.

The European Commission, EU governments and tech lobby BSA-The Software Alliance, which represents companies such as Apple, IBM and Microsoft (but not Facebook), defended the overall validity of the transfer mechanism.

“This case is not about U.S. laws but about who's responsible for what. What's the responsibility of the European Commission, the DPC, national courts ...” the Commission said.

The Netherlands and the U.K. echoed Ireland’s comments about the DPC’s role in stopping data transfers.

Ireland's data regulator did not find support among its peers either.

“It is to the supervisor authority to assess, based on a complaint, whether data are protected under standard contractual clauses. If not, they may suspend transfers,” said Andrea Jelinek, chair of the European Data Protection Board (EDPB), which represents regulators.

Privacy Shield’s shadow

For the hearing, the court also asked a series of questions about the legality of the separate Privacy Shield transatlantic data flow agreement. Judges insisted the two cases are linked.

A separate hearing on the Privacy Shield agreement at the EU's General Court has been postponed pending a judgment in the case heard Tuesday.

"This Court should find that Privacy Shield is invalid," Schrems' lawyer said Tuesday.

The EDPB also expressed some known concerns about effective remedies for European citizens in the U.S. The board “cannot state that the Ombudsperson constitutes an effective remedy," Jelinek told the court, referring to the person in charge of handling complaints by European citizens.

Unsurprisingly, the Commission defended its decision to strike an agreement with Washington on data flows. But it struggled to answer to the judge’s questions about whether U.S. intelligence agencies have access to content data from EU users.

National governments, including Ireland, urged judges to “confine their examination” to standard contractual clauses.

The conclusions from the court’s advocate general are expected December 12.

CORRECTION: This story was amended to correct a summary of a statement from a U.S. government representative. The representative said Europe’s General Data Protection Regulation does not give the EU the mandate to “conduct a worldwide enquiry” of surveillance regimes across the world.