Why did the Irish Data Protection Commissioner go to the Irish High Court to refer questions of European Union law to the Court of Justice in Luxembourg rather than referring them herself?
Writing in the latest edition of Data Protection Ireland, barrister Gary Fitzgerald, director of the Irish Centre for European Law, has rowed in with an analysis of the law (see here). According to Fitzgerald there is nothing to stop the commissioner from bypassing the Irish courts and heading straight to Luxembourg with questions on the validity of European Union data protection law.
Many people asked why the commissioner needed to issue proceedings in the High Court to access the highest EU court following an unprecedented Irish court judgment. As readers will recall the Irish court joined the US government and others to proceedings initiated by the Data Protection Commissioner for the purpose of referring questions concerning the legality of personal data transfers outside the European Union.
Respected Irish Times journalist Karlin Lillington expressed bafflement at a decision that would needlessly add years to the procedure and cost millions in legal fees.
— Karlin Lillington (@klillington) July 28, 2016
Complainant Max Schrems, is now faced with a multi-million euro litigation which includes three weeks in the High Court before fundamental issues of EU data protection law can finally be put to bed, he’s not happy.
According to Fitzgerald
The CJEU in Schrems I put an obligation on each supervisory authority to vindicate the rights of EU data subjects. This can only be done by referring a question to the CJEU. The issue is whether the CJEU would reject a reference from the DPC on the grounds that it was not a court or tribunal. The definition is flexible allowing CJEU to respond to the needs of justice in each case.
Schrems II sees a conflict between global trade, national security and the fight against crime on the one hand and fundamental rights of almost all EU data subjects on the other. It is one of the most important cases that the CJEU will ever hear. Yet by not referring a question herself, the DPC has delayed a reference to the CJEU by almost a year, if not longer.
Clearly, it is this article’s view that the DPC does have the necessary characteristics to be classified as a court or tribunal. In addition, the need for a quick resolution of this dispute means that the CJEU would likely have accepted a reference, notwithstanding any doubts that it had about the judicial nature of the DPC.
The issue raised here is only going to get more significant. Given that there will certainly be a challenge to the new Privacy Shield, and that challenge could likely come from Ireland, the DPC and any party to the complaint will have a decision to make. The DPC will have to consider making a reference, and if she fails to do so, the complainant, or data controller, will have to consider challenging this refusal. The best course of action would be for the DPC to refer a question and have the CJEU determine acceptance. Overall, it seems likely that the CJEU would, given the nature of Section 10 and the importance of the reference, accept it.
So it seems that as this case unfolds questions will not just be asked of the CJEU!
Photo credit: https://www.flickr.com/photos/22325431@N05/