Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Friday 29 September 2023 Dublin: 11°C
Christopher Lane Edward Snowden talks with Jane Mayer via satellite at the 15th Annual New Yorker Festival
Snowden leaks provided momentum to bring us to this crucial point in data protection
It’s important to pause and consider the manner in which Edward Snowden has influenced the direction of EU data protection law, writes Maria Helen Murphy.

YESTERDAY, in the case of Schrems v Data Protection Commissioner, the Court of Justice of the European Union (CJEU) found the “Safe Harbour” data transfer mechanism to be invalid.

The Safe Harbour system was devised as a streamlined system in order to facilitate the transfer of personal data from Europe to the United States.

In 2000, the European Commission released a decision declaring that the Safe Harbour system provided an “adequate” level of data protection.

Under the scheme, US based companies could volunteer to abide by the Safe Harbour principles in order to benefit from the streamlined data transfer mechanism.

Europe Facebook Lawsuit Associated Press Max Schrems, left, and his lawyer Herwig Hofmann, right, walk in the hallway after a ruling at the European Court of Justice in Luxembourg yesterday. Associated Press

The decision in Schrems constitutes a significant win for privacy advocate Max Schrems in his ongoing legal battle with Facebook and the Irish Data Protection Commissioner.

The ruling in Schrems was the result of a preliminary reference from the Irish High Court in June 2014.

Mr Justice Hogan referred a question to the CJEU, asking whether the Data Protection Commissioner was bound by the EU Commission’s adequacy decision, or whether the Data Protection Commissioner should investigate the matter independently.

In a major victory for Max Schrems, the CJEU decided not only that the Data Protection Commissioner had a duty to investigate the matter, but also decided to consider whether the Safe Harbour regime itself was valid.

The impact 

Following the decision of the CJEU to invalidate the Safe Harbour mechanism, commentators have been debating the extent of the ruling’s impact, but almost all agree that the decision has significant implications for how internet companies operate.

Facebook IPO Associated Press Associated Press

In spite of the apparent shock in some quarters, this decision did not come without warning. In fact, this decision arrives subsequent to a series of strongly pro-privacy decisions from the CJEU.

The most notable decision in this collection – prior to yesterday’s Safe Harbour decision – is another case with a strong Irish connection. I am, of course, referring to the decision in Digital Rights Ireland and Seitlinger and Others, which was decided by the CJEU in April 2014.

Like the Schrems case, the Digital Rights Ireland case saw the CJEU invalidate a piece of EU law on the grounds of data protection and privacy.

In the Digital Rights Ireland case, it was the Data Retention Directive that was deemed invalid by the CJEU.


In spite of the potential for disorder following both the Digital Rights Ireland and Schrems rulings, in both cases the CJEU declined to declare a grace period for reorganisation and adjustment.

 NSA whistle-blower 

The similarities between the decisions do not end there. In addition to references in both rulings to the Charter of Fundamental Rights, the influence of the NSA whistle-blower, Edward Snowden, is clear.

The documents released by Snowden detailing the capability of the NSA to access information held by US companies (including Facebook) through the PRISM programme appeared particularly influential in both of the rulings.

Hong Kong Surveillance Snowden Associated Press Associated Press

As the debate concerning the full effect of decision in the Schrems case continues, it is important to pause and consider the manner in which Edward Snowden has influenced the direction of EU data protection law.

EU data protection law 

The Digital Rights Ireland decision was the first major European ruling on surveillance following the Snowden revelations.

The Data Retention Directive had been introduced in response to the terrorist attacks in Madrid and London and was deemed a crucial tool in efforts to combat terrorism and organised crime. Under the Data Retention Directive, Member States were obliged to provide for the retention of communications metadata for between six and 24 months.

The metadata that was required to be retained included the data necessary to determine the source, destination, date, and time of communications.

shutterstock_288062099 Shutterstock / DrHitch Shutterstock / DrHitch / DrHitch

The CJEU found the indiscriminate and unlimited collection of data on ‘all persons and all means of electronic communication’ to be a disproportionate interference with privacy and data protection rights.

Delivered in the aftermath of the Snowden revelations, the decision in Digital Rights Ireland was a clear statement of intent on behalf of the highest court of the EU.

In an implied reference to the Snowden revelations, the CJEU criticised the Data Retention Directive for not requiring that data be retained within the EU.

Implications for multinationals that transfer data outside of the EU  

According to the court, by not requiring this, the Data Retention Directive could not fully ensure “compliance with the requirements of protection and security by an independent authority” as is required by the Charter.

This reasoning had clear implications for multinationals that transfer data outside of the EU and foreshadowed the recent decision in the Schrems case.

The significance of this finding was not lost on the Irish Courts when it considered Schrems’ arguments at the domestic level in June 2014.

shutterstock_45316066 Shutterstock / Mariusz Gwizdon Shutterstock / Mariusz Gwizdon / Mariusz Gwizdon

Before sending the preliminary reference question to the CJEU that resulted in Tuesday’s decision, the Irish High Court directly addressed the significance of the Snowden revelations.

Snowden revelations 

Mr Justice Hogan considered the Snowden revelations in detail and evaluated whether the existence of the PRISM programme and the findings of the CJEU in Digital Rights

Ireland cast doubt on the legality of Safe Harbour. Accordingly, even though the question put to the CJEU by the Irish High Court did not explicitly request a ruling on the issue of Safe Harbour, the candid examination of the Snowden revelations certainly set the stage for Tuesday’s decision in Schrems.

As the debate surrounding the technical, economic, and political effects of the ruling in Schrems continues, it is important to recognise that this is a crucial moment for data protection and privacy in Europe and around the World. While reform of the data protection regime continues to face challenges and problematic legislation – such as the recent French surveillance law – continues to be introduced, the influence of the Snowden revelations is difficult to deny.

The Safe Harbour regime had been recognised as problematic since its inception, yet the Snowden revelations provided the additional momentum needed to launch an effective legal challenge.

In his newly opened Twitter account, Edward Snowden thanked Europe for the decisions in both the Schrems and Digital Rights Ireland cases.

Such gratitude is returned to Snowden by many privacy advocates benefiting from the persistent and powerful “Snowden Effect”.

Maria Helen Murphy is a Lecturer in Law at Maynooth University. 

Read: The unfree Irish in the Caribbean were indentured servants, not slaves>

Read: Debate Room: Should there be a rent freeze?>

Your Voice
Readers Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.