The Irish data protection commissioner has begun a major legal action in the commercial court in Dublin, which will require the Court of Justice of the European Union (CJEU) to decide if transatlantic data transfer channels breach privacy rights of European Union (EU) citizens.
The Irish commissioner, Helen Dixon, has formed a “provisional” view that there are “deficiencies” over the rights of EU citizens to access remedies under US law for any breach of their data protection rights protected by the European Charter, the court was told on 7 February 2017.
The case – which encompasses the US government, Facebook, technology trade bodies and human rights organisations – will have major implications for EU-US privacy rights, and the ability of technology companies to transfer data on EU citizens to the US.
In the hearing, Michael Collins, senior counsel (SC) for the commissioner, said the commissioner has formed the draft view the transatlantic data transfer channels – known as standard contractual clauses (SCCs) – do not provide the level of protection necessary.
One of the commissioner’s concerns is that US law effectively makes it more difficult for an EU citizen to get the necessary legal standing to be heard by a US court in relation to any alleged breach of privacy rights, he said.
If the court shares the commissioner’s doubts about the adequacy of the protections under US law, it should ask the CJEU to decide whether the SCCs are valid and provide adequate protection for the rights of EU citizens, Collins told the court.
Facebook maintains the court should take into account that there are different levels of protection “on the ground” across EU member states for data transfers in the EU, but the issue is whether US law provides equivalent protection to that provided under EU law, he said.
The potentially huge implications of the case for EU-US trade and privacy rights are underlined by the US government’s first ever involvement in litigation in the Irish courts.
It will argue “significantly enhanced” protections have been put in place in recent years to ensure privacy rights of EU citizens are not at risk from transatlantic data flows.
Any finding by the Irish or European courts that the safeguards are inadequate could have “sweeping” commercial ramifications for data flows and risk undermining international co-operation to confront “common threats”, it also claims.
Adequacy of US privacy claims under question
Claims about the adequacy of the US safeguards are disputed, including in an expert report to the court by US lawyer Ashley Gorski, of the National Security Project of the American Civil Liberties Union, who will give evidence on 10 February 2017.
Among various claims, Gorski believes there is “extremely limited” judicial oversight of actions taken under the US Foreign Intelligence Surveillance Act.
The act provides a low threshold for targeting non-US persons and includes an exception allowing the US government to retain communications of US and non-US persons if it concludes they contain any information broadly considered “foreign intelligence”, she said.
The adequacy of the US safeguards, and the effectiveness of remedies for any breach of rights, are key issues in the case, expected to last at least three weeks and cost several million Euro.
Another key issue is whether the transfer of personal data involves the “processing” that data. The commissioner argues it does, but Facebook disputes that.
The case concerns transfer of data by Facebook Ireland Ltd (FIL) – because Facebook’s European headquarters are in Dublin – to its parent company Facebook Inc and whether that transfer is lawful under Irish and EU data protection law.
Judge Caroline Costello will hear evidence from a large number of legal experts from the US and several European countries, including the well-known UK human rights lawyer and author, Geoffrey Roberston, QC, who has provided an expert report for Facebook.
Case stems from complaint by Max Schrems
The case stems from a June 2013 complaint by Austrian lawyer Max Schrems to the commissioner alleging FIL’s transfer of his personal data to the US was unlawful.
He made the complaint after former US National Security Agency (NSA) contractor Edward Snowden disclosed documents revealing surveillance by the NSA of certain internet and telecommunications systems operated by companies, including Facebook, Microsoft and Google.
Schrems, who was present at court, later took proceedings over the alleged failure by the commissioner to investigate his complaint. The refusal was based on her view she must accept European Commission (EC) decisions on the validity of the SCCs.
After the Irish High Court referred issues in the case to Europe, the CJEU ruled the Safe Harbour framework used for data transfers was invalid under the EU Charter due to failure to enable EU citizens to pursue effective legal remedies in the US over any alleged breach of their EU privacy rights.
The case returned to the Irish courts, quashing the commissioner’s refusal to investigate Schrems’s complaint. The commissioner opened an investigation into a reformulated complaint and her office made a draft finding in May 2015 that Schrems had raised well-founded objections over whether the data channels breached the date privacy rights of EU citizens.
The commissioner brought the current proceedings after deciding she could not complete her investigation without a ruling from the CJEU on the validity of three European Commission decisions of 2001, 2004 and 2010 approving the SCCs.
Her case is against Facebook Ireland and Schrems. Several concerned parties, including the US government, have been joined to the case as amici curiae – assistants to the court on legal issues.
Other amici include the Business Software Alliance (BSA); the Washington DC based Electronic Privacy information Centre (EPIC); and Digital Europe, representing digital technology associations and corporations operating in Europe.
Read more about Safe Harbour
- A mechanism for the transfer of data between the European Union (EU) and the US to replace the Safe Harbour agreement is achievable, according to an EU data protection official.
- The European Court of Justice’s decision to invalidate the Safe Harbour agreement has far-reaching implications for businesses.
Opening the commissioner’s case, Collins said the case has some unusual features and was being brought not for any vested interest or agenda, but arising from her statutory functions as commissioner.
Dixon considers she is obliged to bring the matter before the court having formed the view, in a draft decision, that Schrems’s complaint was well-founded, said Collins.
She was not seeking any relief against the defendants, but rather identifying the people most directly interested – Schrems as complainant and Facebook as the transferor of data.
If the court shared her concerns about the validity of the EC decisions, it should make a reference to the ECJ, he said.
The commissioner also took the view that much of the factual evidence Facebook has put before the court is not relevant to the issues the court has to decide, he added.