Austrian lawyer Max Schrems maintains the main protections provided by the US for data privacy rights of EU citizens have no statutory basis and “could be altered tomorrow”, the High Court has heard.

The major protections are said to be presidential and executive orders and directives, along with the Ombudsperson provided for under the 2016 Privacy Shield framework agreement between the European Commission and US on data transfers, Eoin McCullough SC, for Mr Schrems, said.

These are “simple administrative schemes with no statutory basis” that “may well be ephemeral”, counsel said.

Mr McCullough was setting out Mr Schrems’s position on Data Protection Commissioner Helen Dixon’s case aimed at having the High Court ask the Court of Justice of the EU (CJEU) to decide the validity or otherwise of European Commission decisions of 2001, 2004 and 2010 approving data transfer channels known as standard contractual clauses (SCCs).

Personal data

The Commissioner wants the CJEU to determine legal issues for her investigation into a complaint by Mr Schrems that transfer of his personal data by Facebook Ireland to the US breaches his data privacy rights as a EU citizen.

She initiated the case after reaching a draft finding Mr Schrems had “well founded” objections over the data transfers, arising from her view remedies in the US for breach of EU citizens data privacy rights are inadequate.

Her case is against Facebook and Mr Schrems but no orders are sought against them.

What is the Max Schrems case? It is the latest in a line of cases involving challenges on privacy grounds to the various methods by which companies transfer the personal data of EU citizens to countries outside the European Economic Area (EEA), mainly the US. Schrems case explained: read more I found this helpful Yes No

Facebook and Mr Schrems both oppose a reference for very different reasons. Facebook argues the Commissioner’s draft finding is wrong and fails to take account of the Privacy Shield agreement.

Mr Schrems argues a reference can only be made when a question is properly raised and the answer to that is necessary to address the underlying complaint.

In this case, a reference is unnecessary or at least premature, he says.

Facebook’s contract with its US parent did not comply with the relevant SCC decision of 2010 but the Commissioner has failed to investigate his complaint to that effect, he argues. This means the relevance of the SCC decision to the issue of the legality of the Facebook transfers has not been established, he says.

The Commissioner has failed to investigate any other means of data transfer, Facebook has not admitted to using other means and therefore the investigation is incomplete, he also claims.

National security grounds

In arguments on Friday, Mr McCullough said there is no objective criterion limiting access by US government authorities to data of EU citizens beyond a requirement that data relates to “foreign intelligence”. That could not conceivably be argued to meet the requirements of EU law, he said.

He said infringements of data privacy of EU citizens can be justified by the US on national security grounds only if those were in line with EU law provisions allowing such infringements as strictly necessary for reasons of national security and proportionate.

Counsel also argued there is a “safety valve” contained in the SCCs for protection of his rights.

Later on Friday, Brian Murray SC began his reply on behalf of the Commissioner to the arguments advanced by Mr Schrems, Facebook and seven entities, including the US government, involved in the case as amici curiae (assistants to the court on legal issues).

This was not a judicial review of the Commissioner’s draft decision and she was entitled to raise additional matters, including her concerns about limitations on the powers of the Ombudsperson under the Privacy Shield framework.

The case continues on Tuesday before Ms Justice Caroline Costello.