US government joins legal challenge of EU-US data transfers

Helen Dixon, Ireland’s data protection commissioner, is asking the European Court of Justice to rule on the legality of EU-US data transfers, post-Safe Harbour, in a landmark legal challenge

An Irish High Court judge has granted an unprecedented application by the US government to be joined to a major legal action over whether existing EU-US data transfer channels unlawfully breach the privacy rights of EU citizens.

Mr Justice Brian McGovern said he was satisfied that the US government has a “significant and bona fide interest” in the outcome of the case.

He was giving his reserved judgment on applications by the US government and several other parties to be joined as amicii curiae (assistants to the court on legal issues) to the action by the Irish data protection commissioner aimed at deciding the validity of channels – known as standard contractual clauses (SCCs) – being used for daily EU-US data transfers.

The commissioner wants the validity of the channels to be referred by the High Court to the Court of Justice of the EU (CJEU) for determination. Unless a party has been joined by the Irish High Court, it cannot take part in any reference to the CJEU.

A “Privacy Shield” arrangement for data transfers, adopted by the European Commission earlier this month after discussions between the EU and the US, may affect the wording of any referral.

On Tuesday, Mr Justice McGovern said he would join the US government as amicus because it has a “significant and bona fide interest” in the outcome. At issue is the assessment, as a matter of EU law, of the US’s law governing transfer of EU citizens’ data to the US, he said.

The imposition of restrictions on transfer of such data would have potentially considerable adverse effects on EU-US commerce, could affect US companies significantly, and the judge said he was satisfied that the US could bring “added value” to the case.

He also joined US-based data privacy watchdog EPIC (Electronic Privacy Information Centre), on the basis that it could offer a “counter-balancing perspective” from that of the US government concerning the position in the US.

Court joins privacy and trade groups

EPIC claims to be the leading privacy and freedom of information organisation in the US, with special expertise in government surveillance and related legal matters, the judge noted.

The court also joined Business Software Alliance, a global trade association whose application was supported by the American Chamber of Commerce Ireland, to the case. The BSA’s members include internet giants Apple and Intel, as well as smaller entities, and the judge considered it could provide relevant views not otherwise available to the court.

The judge also joined Digital Europe, saying it is the principal representative body on matters for EU policy for members of the digital technology industry in Europe, and many of its members have an interest in, and will be affected by, the decision made in the case. He was satisfied it could assist the court.

Law student’s objections ‘well founded’

In a draft finding last May, commissioner Helen Dixon found that Austrian lawyer Max Schrems (pictured above) had raised “well-founded” objections to the validity of the SCCs approved under European Commission decisions of 2001, 2004 and 2010.

Doubts about their validity have increased following disclosures about US mass surveillance by Edward Snowden and since the CJEU last year struck down the 15-year-old Safe Harbour arrangement for EU-US data transfers.

The commissioner’s case is against Facebook Ireland (because Facebook’s European headquarters are there) and Schrems because she considers they are the appropriate parties to address the relevant issues arising from Schrems’ complaint.   

Case raises surveillance issues

The case raises significant issues concerning surveillance by US national security agencies and whether US law provides an adequate remedy for any breach of the privacy rights of EU citizens.

The BSA has claimed that if the existing channels are ruled invalid, it could cause losses of €143bn a year to the European economy. 

Court refuses other applications

The judge refused to join the Irish Business & Employers Confederation, the representative group for Irish business, after finding that it could not add anything to assist the court.

In refusing to join the Irish Human Rights & Equality Commission, the judge said the data protection commissioner had a particular statutory remit in relation to issues of data protection and was the designated national supervisory authority for monitoring the application of the relevant EC directive in relation to protecting the data privacy of individuals.

Read previous coverage of the case

He said he was not satisfied that the IHREC could offer assistance that could not be offered by the commissioner.

The judge also refused to join the American Civil Liberties Union/Irish Council for Civil Liberties; another US-based data privacy watchdog, the Electronic Frontier Foundation; or UK-based journalist and data privacy campaigner Kevin Cahill, a contributor to Computer Weekly, on grounds including the court’s view that they would not offer any particular assistance or a different perspective not already available.

Schrems to apply for costs order

The case will return to the court on Monday, when the judge will hear an application by Schrems for a protective costs order which, if granted, would mean he would not be exposed to the costs of the litigation

The judge will also make directions on Monday for exchanging legal documents for the hearing, for which a date has yet to be set.

Read more on Privacy and data protection