nanomanpro - Fotolia

Facebook data case raises US national security issues

Dublin court case on the legality of Facebook’s data transfers to the US raises issues that affect US national security, claims US Department of Justice

A legal claim by the Irish data protection commissioner, querying the validity of data transfer channels between the US and the UK following a complaint against Facebook, is “of the utmost importance to the US and to the broader public,” the US government said.

The High Court in Dublin will hear an unprecedented application by the US to join a High Court case on 7 July 2016, brought by the Irish information commissioner to consider the validity of contractual clauses which are used to govern transfers of data between the EU and the US.

The case follows a complaint by Austrian student Max Schrems that Facebook had not ensured his personal data was adequately protected when Facebook transfered his data from the European Union (EU) to the US.

Department of Justice (DoJ) US attorney Donna Chapin argued that the US DoJ should be joined to the case. 

In a sworn statement released 27 June 2016, Chapin said the legal action raised issues around “the circumstances in which such data are accessed and processed on law enforcement and national security grounds.”

According to Chapin, the US is the best placed to provide an “accurate, up-to-date and comprehensive account” of the relevant US legal regime governing access to data by government authorities, including available redress measures.

Objections to Standard Contractual Clauses ‘well founded’

Irish data protection commissioner Helen Dixon initiated the high court case after making a draft finding in May 2016 that Austrian lawyer Max Schrems had raised “well-founded objections” to the validity of EU-US data transfer channels, known as Standard Contractual Clauses (SCCs).

Schrems complained Facebook Ireland was transferring his personal data through SCCs to servers located in the US, where it was being processed, without ensuring sufficient protection, as required under the Charter of Fundamental Rights of the EU.

The use of SCCs has been approved under various European Commission decisions, but concerns whether SCCs comply with the data protection rights of EU citizens have mounted since the Court of Justice of the EU (CJEU) struck down the previous EU-US Safe Harbour data transfer arrangement in 2015.

Privacy and data protection rights of EU citizens breached

The CJEU based its ruling on the indiscriminate and mass nature of US surveillance and the finding that EU citizens had no effective remedy under US law for breaches of their privacy rights.

After a seven-month investigation, Dixon made a draft finding SCCs also breach privacy and data protection rights of EU citizens.

In her proceedings against Facebook Ireland (Facebook’s European headquarters), the commissioner wants the High Court – if it shares her doubts about the validity of the SCCs – to ask the CJEU to rule on the legality of SCCs.

The case received a brief hearing on 27 June 2016 before Justice Brian McGovern in the Commercial Court, the big business division of the High Court.

He fixed 7 July 2016 to hear a series of applications to be joined to it as amicus curiae (assistant to the court on legal issues). Some of the applications are being contested, the court was told.

The judge will hear applications by the US government; Business Software Alliance (supported by the American Chamber of Commerce in Ireland); Irish Business and Employers Confederation and Digital Europe, representing the European digital technology industry to be joined to the case.

Cloud data storage businesses will be ‘significantly affected’

Irish business management consultant Ibec said Irish businesses, including those using “cloud-based” data storage systems offered by entities using SCCs, stand to be significantly affected by decisions in the case.

Another joinder application is jointly brought by the American Civil Liberties Union and Irish Council for Civil Liberties.

The Electronic Frontier Foundation and Epic (Electronic Privacy Information centre), both US-based data privacy watchdogs, are among those that want to join.

Chapin said in a sworn statement that the case was of the “utmost importance” to the US government as it raises issues concerning the legality, as a matter of EU law, of the present regime governing transfer of EU citizen data to the US.

The Privacy Shield Framework negotiated by the EU and US and any adoption of a draft European Commission decision of February 2016, which concluded the US regime meets the requisite test for an “adequate level of protection”, may have considerable implications for the case, said Chapin.

Read more about Privacy Shield

While it was premature at this stage for the US to commit to defining the particular matters it proposes to comment on, it did want to make submissions on Dixon’s draft decision, she said.

Dixon said she received unsolicited submissions in May 2016 from the US concerning the Privacy Shield Framework, but had formed her own “independent view” after seeking independent expert advice on certain matters of US law. However, that advice has not been seen by the US government, said Chapin.

In the joint ICCL/ACLU joinder, the ACLU said it has “deep concerns” about the possibility of rights violations associated with the US government’s “mass surveillance”, as well as the “great difficulty” of getting “meaningful redress” for such violations.

The BSA said SCCs provide the legal foundation for millions of daily data transfers to countries outside the European economic area. It added that thousands of European and non-European companies rely on SCCs to transfer customer data to locations outside Europe, including the US.

If SCCs were unavailable, using a smartphone to send an email or withdrawing cash from an ATM would become “nearly impossible”, it said.

Ronan Lupton, representing Digital Rights Ireland (DRI), said following opposition from Schrems, DRI was not pursuing its application.

Read more on IT legislation and regulation