bluedesign - Fotolia
The United States government will make a first court appearance in the Dublin High Court on 27 June 2016, alongside at least six other applicants, to explain the surveillance policies that have led to the collapse of the legal framework for transferring personal data from the European Union (EU) to the US.
This follows the revelation on 13 June 2016 that the Irish data commissioner Helen Dixon raised concerns over the legality of the temporary measures in place since the European Court of Justice struck down the Safe Harbour agreement for the transfer of data between the two blocs, including binding corporate rules.
The commissioner has made no postings to her website on the matter. She is also refusing to comment to the media on the resulting situation in which the Irish High Court will hear her additional application to have her ruling sent to the European Court of Justice for review on 27 June.
On 17 June 2016, The Irish Times newspaper reported that the data commissioner had raised concerns over the validity of temporary arrangements, which include Standard Contractual Clauses and Binding Corporate Rules, covering transfers of European personal data to the US were illegal.
Dixon, while privately notifying the key parties – including the Austrian law student Max Schrems – about her court appearance, failed to give notice to the public or the media, apart from local Irish media via the High Court case list.
The Irish data commissioner was ordered by the European Court of Justice in October 2015 to investigate Schrem’s complaint against Facebook and the US Government, in which he said his European privacy rights were infringed by the US Government’s use of the Prism mass surveillance programme.
In the same judgement on the 6 October 2015, the European Court struck down the 15-year-old Safe Harbour agreement between the US and the EU, which had permitted the transfer of personal data between the two blocs.
The judgement, quoting from a European Commission Communication, noted: “All companies involved in the Prism programme [a large-scale intelligence collection programme], and which grant access to US authorities to data stored and processed in the [United States], appear to be Safe Harbour certified.”
It went on: “This has made the Safe Harbour scheme one of the conduits through which access is given to US intelligence authorities to collecting personal data initially processed in the [European Union].”
The judgement about Safe Harbour was based on findings by the Dublin High Court in June 2014 that the US was engaged in “mass and indiscriminate surveillance” in the EU using Prism.
Dixon’s arguments are in line with those of the Article 28 College of European Data Regulators, which reported that since the Schrems Judgement, transfers to the US cannot take place under Safe Harbour. The European Court granted no grace period for companies to adjust to the strike down of Safe Harbour.
Schrems hopes for adversarial hearing
So far, the US Government has refused to comment on its proposed submission to the court on 27 June 2016. This takes the form of an “amicus curiae” brief, technically a submission as a “friend of the court” and is non adversarial.
This normally means that the submission is immune from both cross examination and direct criticism. Little use is made of the “amicus curiae” procedure in the Irish courts and it is not known what approach Judge Brian McGovern will take to what may be a very contentious submission by the US.
Max Schrems, the Austrian law student whose original complaint led to the European Court Judgement, is hoping that the hearing will be a normal adversarial one. In a series of recent interviews, he told continental and American newspapers that he is hoping to put the US Government under oath and have their representative cross examined.
Schrems told Arstechnica UK’s Brussels correspondent Jennifer Baker that: “There are very specific transfers that are not going to work. The big problem is they affect the big shots – Microsoft, Apple, Facebook, Google.
“The US says you have to do mass surveillance. The European Union says you can’t. This struggle is really only a problem for the big companies. But it should not be solved by the European Union just not enforcing its law.”
As of 21 June 2015, however, at least five other parties have indicated to the court that they wish to make their own “amicus curiae” submissions on the 27th.
These include the Microsoft-founded Business Software Alliance, the American Chamber of Commerce, the Irish employers federation (IBEC) Digital Rights Ireland and the US-based Electronic Frontier Foundation.
This does not include Schrems or Facebook, both of whom would have litigant’s rights at the court and could both argue for or against Dixon’s findings and against her referring them to the European Court.
Schrem’s is unlikely to oppose her findings, which are in his favour, or against them going to the European Court of Justice, which found in his favour last time.
The “amicus curiae” process allows for oral and written submissions from individuals and corporations. It is unlikely that the seven known applicants for the hearing on 27 June will be the last to apply to the court.
The ruling by the Irish data commissioner, however predictable, poses an acute threat to the attempt by the European Commission and the US Government to patch together a successor to Safe Harbour called Privacy Shield.
As the Dublin solicitor Simon McGarr told a meeting in the House of Lords in March 2016: “The stumbling block remains the same – this is Prism, and it’s hard to see how progress can be made until it changes.”
However, the volume of electronic business at stake between the US and Europe is immense, and the major players in the digital world urgently need a solution.
So far, it’s the spooks in the US – mainly the boss at the National Security Agency admiral Michael Rogers, and his boss at the Office of the Director of National Intelligence, general James Clapper – who have refused to budge.