alex_aldo - Fotolia
A draft finding by the Irish Data Protection Commissioner that existing EU-US data transfer channels are invalid on grounds of inadequate US legal protections for EU citizens' privacy rights could cost €143bn a year, Facebook Ireland has claimed before the High Court in Dublin.
The claim came as the US government made an unprecedented application in the Irish courts, to join the action by commissioner Helen Dixon aimed at establishing the legality of channels, known as Standard Contractual Clauses (SCCs), being used for daily EU-US data transfers.
SCCs were approved under European Commission decisions of 2001, 2004 and 2010, but doubts about their validity have mounted after disclosures about US mass surveillance by National Security Agency (NSA) contractor Edward Snowden and since the Court of Justice of the European Union (CJEU) struck down the 15-year-old Safe Harbour arrangement for EU-US data transfers in 2015.
Judge Brian McGovern will rule by the end of July 2016 on the applications by the US and by major Irish, EU and US business and civil liberties organisations, to join the case as amicus curiae (assistant to the court on legal issues).
The action is aimed at having the issue of the validity or otherwise of the SCCs referred by the High Court to the CJEU for determination. Unless a party has been joined to the case by the Irish High Court, it cannot participate in any referral to the CJEU.
The commissioner, in a draft finding in May 2015, said Austrian lawyer Max Schrems had raised “well-founded” objections to the validity of the SCCs, after complaining over Facebook’s use of SSCs to transfer his personal data to the US. When a “well-founded” decision is reached, the next step for a commissioner is to seek to have the CJEU decide the issue.
The outcome of continuing EU-US discussions on a “Privacy Shield” may affect the wording of any referral, the commissioner's counsel Michael Collins said.
Case raises major issues over US surveillance
The case, with potentially huge implications for businesses and millions of EU citizens, raises major issues concerning surveillance by US national security agencies and whether US law provides an adequate remedy for any breach of privacy rights of EU citizens guaranteed under the Charter of Fundamental Rights of the EU.
Its importance is underlined by the applications to join the case by the US government; the Business Software Alliance (BSA), a global business organisation whose application was supported by the American Chamber of Commerce Ireland; the Irish Business & Employers Confederation; and Digital Europe, the representative organisation for the European digital industry.
The privacy and human rights issues raised by the case were underlined in joinder applications from the Irish Human Rights & Equality Commission; the American Civil Liberties Union/Irish Council for Civil Liberties (in a joint application); and two US-based data privacy watchdogs, the Electronic Frontier Foundation and the Electronic Privacy Information Centre. Author and privacy campaigner, Kevin Cahill, a Computer Weekly contributor, has also applied to join the proceedings.
Read more about Privacy Shield
- Adoption of Privacy Shield is unlikely before June 2016, and the scheme is likely to be challenged by national data protection authorities and individuals
- It would be “very sensible” if both the EU and the US answered the questions European data protection authorities are asking about the Privacy Shield pact, according to the UK information commissioner
- The Article 29 Working Group’s call for revisions of the Privacy Shield for transatlantic data transfers is welcomed by those keen for a stronger framework and criticised by those keen to avoid delay
Ending SCCs will reduce European GDP by 1%
Paul Gallagher, counsel for Facebook Ireland, said the case has enormous implications for Ireland, the EU and globally. It was conservatively estimated by the BSA, if the SCCs were found invalid, that would have a negative impact of some 1% on European gross domestic product (GDP), costing some €143bn annually, he said.
While the court “of course has to the apply the law even if the heavens fall in”, it should know to what extent the heavens might fall in on the basis of its decision, counsel said.
Maurice Collins for the BSA said the commissioner’s draft finding, if upheld, could have a negative impact on Europe’s GDP up to four times worse than during the 2012 economic downturn.
The case has potentially enormous implications for the entire Irish economic sector, ranging from workers to suppliers to employers.
Case is of critical importance to the US
Counsel for the US government, Eileen Barrington, said the US was in “a unique and unprecedented position because its laws are at the heart of the case”, and it was of “critical importance” to the US to be joined for reasons including to update the court concerning the adequacy of US data protection laws.
It was hard to exaggerate the importance with which the US viewed this case, with its potential to have an impact on US agencies and EU-US commerce, she said. “We are deeply concerned we should be heard.”
Barrington disagreed with Schrems' argument the US’s role should be confined to submissions on US surveillance law only, and said the US wanted to make submissions concerning US law and practice, and how that might compare with law in other EU states.
The US wants to address the continuing EU-US negotiations on the Privacy Shield – which is aimed at resolving EU concerns about adequacy of US protections for data privacy rights of Irish citizens – and the terms of any reference to the CJEU, she said.
A draft decision on the Privacy Shield, based on commitments from the US, concludes the US offers an adequate level of protection, added Barrington.
For the commissioner, Collins noted the US government had said it wanted to make submissions in relation to issues of US law. The commissioner's position was, if the court agreed to allow the US provide evidence on US law, that evidence must be sworn and must be capable of being tested by other expert witnesses, he said.
Privacy and surveillance are at the heart of the case
Colm O'Dwyer, senior counsel for Epic – a Washington DC-based independent data privacy watchdog – said it wanted to provide “another source of information” about the adequacy of US data protection and maintained the key issues at the heart of this case concern “surveillance and privacy”.
Nuala Butler, representing the Irish Human Rights and Equality Commission (IHREC), said it should be joined because of its statutory function to protect human rights, international connections and experience. Other human rights bodies won’t have access to the CJEU unless her client is involved, she said.
Michael Lynn, senior counsel for the American Civil Liberties Union (ACLU), sought to be joined for reasons including the ACLU’s involvement in public interest litigation in the field of US surveillance.
Schrems, represented by Sean O'Sullivan, indicated in affidavits he did not object to the US government being joined provided civil liberties interests were adequately represented.
The commissioner is bringing the case against Facebook Ireland – where Facebook's European headquarters are – and Schrems because she considers they are the appropriate parties to address the relevant issues arising from Schrems' complaint.
Commenting on the hearing, IT lawyer,Dai Davis said: “While the cost to European companies may be high were SCCs found to be invalid, the cost to US businesses would undoubtedly be much higher. It is however important that there is such a cost, in order to ensure that US companies have commensurate burdens that EU companies have in complying with EU data protection laws.”
Read more on Privacy and data protection
Irish privacy watchdog orders Facebook to stop sending user data to the US
Why data exports from the EU will be challenging without Privacy Shield
Schrems steps up pressure on Irish data protection commissioner on Facebook’s data sharing with US
Privacy Shield: Companies face new hurdles to legally transfer data to the US