fresnel6 - Fotolia

How a Dublin court case could derail EU-US data privacy agreements

The Irish Commercial Court will consider whether privacy protection offered by standard contractual clauses for data transfers to the US from Europe is legally valid

The Schrems-Facebook court case in Dublin has potentially huge implications for EU-US trade and privacy rights. The US government will argue that any finding by the Irish or European courts that the safeguards are inadequate could have “sweeping” commercial ramifications for data flows and risk undermining international co-operation to confront “common threats”.

Standard contractual clauses (SCCs) are a device to permit the transfer of data between the European Union (EU) and the US. The importance of SCCs increased after the European Court of Justice struck down the Safe Harbour agreement for data transfers in October 2015.

They are a measure agreed outside the actual data protection legislation by the Article 29 College of European Regulators (CNIL). While a successor to Safe Harbour was negotiated, SCCs were one of the main methods used by companies to justify transatlantic data traffic.

Helen Dixon, the Irish data commissioner and a member of CNIL, initiated the current court case last year, and is doing so because only the European Court, on the basis of a reference from a member state court – in this case the Irish Commercial Court – can ultimately decide on the validity of SCCs.

The litigation in Dublin is complicated by the fact that Privacy Shield replaced Safe Harbour with effect from 1 August 2016.

Schrems’ complaint justified

Dixon is taking this litigation to comply with an order from both the Irish High Court and the European Court of Justice that she should investigate the original complaint made by Austrian law student Max Schrems in June 2013, and subsequently amended by him to include the complaint about SCCs.

Schrems took his complaint about transfer of data from the EU to the US, which focused on Facebook’s data collection and transfer to the US, to Ireland because the Irish data commissioner is responsible for regulating Facebook throughout the European Union.

The Irish data protection commissioner lost control of the original complaint when Schrems went to the Irish High Court in 2013. His aim was to have the refusal by Dixon’s predecessor, Billy Hawkes, to look at the complaint examined by a judge.

Read more about the Dublin court case

  • Justice Brian McGovern has fixed the hearing, which has potentially huge implications for EU-US trade and the data privacy rights of millions of EU citizens, to open on 7 February 2017.
  • A draft finding by the Irish data protection commissioner that existing EU-US data transfer channels are invalid on grounds of inadequate US legal protections for EU citizens’ privacy rights could cost €143bn a year, Facebook Ireland has claimed before the High Court in Dublin.
  • Dublin court case on the legality of Facebook’s data transfers to the US raises issues that affect US national security, claims US Department of Justice.
  • An Irish High Court judge has granted an unprecedented application by the US government to be joined to a major legal action over whether existing EU-US data transfer channels unlawfully breach the privacy rights of EU citizens.

This occurred with spectacular effect, leading to an Irish High Court finding of fact that Schrems’ complaint, mainly about Prism, the US surveillance programme, was justified.

The Irish High Court findings in June 2014, which included a determination that the US was engaged in “mass and indiscriminate surveillance”, were referred to the European Court of Justice. That court ruled in October 2015 that the Safe Harbour agreement for the transfer of data between the EU and the US was invalid.

At that point SCCs were adopted by companies to keep business flowing. The Article 29 Regulators reluctantly agreed to this.

In the meantime, the Irish data commissioner was faced with two problems: the order to investigate Schrems’ complaint; and the content of his complaint.

The practical effect of the court actions initiated by Dixon is to postpone the core content of Schrems’ complaint, which is Prism, until such time as the European Court of Justice rules on SCCs.

SCC legality in question

Dixon has raised three key legal concerns about SCCs that also apply to Privacy Shield, however. These are the European Union Charter of Rights Article 7, covering the protection of family life; Article 8, covering data privacy; and Article 47, on the right to a trial before a court of law for matters arising under the charter.

While some commentators believe Privacy Shield will fail the legal tests proposed by Dixon over SCCs, the issue is overshadowed by Prism for so long as it continues to be run by the US.

Prism is a US surveillance program that seeks to acquire client data of at least nine of the largest US internet giants, which are named in the Irish High Court ruling.

The evidence states that they are required by the US National Security Agency (NSA) to provide the “email, chat, video and voice, videos, photos, stored data, VoIP, file transfers, video conferencing, notification of target activity, logins, online social networking details, special requests” of their foreign users.

Carried out in full, this order would affect around 67% of European internet users – as many as 300 million people.

Case summary

The case began at the Irish Commercial Court, Dublin, at 10am on Tuesday 7 February 2017, before judge McGovern.

The applicant is Helen Dixon, data commissioner of Ireland. The respondents are Max Schrems, as a private individual, and Facebook Inc.

Amicus curiae (Friends of the Court) are: the United States government; the Business Software Alliance, an IT industry lobby group; Epic, a US public interest research centre; and Digital Europe, an IT industry lobby group.

Read more on Privacy and data protection

Data Center
Data Management