Any disclosures of the personal data of Facebook Ireland's users at the request of US government agencies are subject to "appropriate security safeguards" protecting the data from unauthorised access, the company has told the Commercial Court.
In an affidavit, Yvonne Cunnane said Facebook Inc, Facebook Ireland's US-based parent, has adopted a "world-class information security programme" and it discloses Facebook Ireland user data to US government authorities only in "limited circumstances".
Ms Cunnane, a solicitor and head of data protection and privacy for Facebook Ireland, also said an agreement governing data transfers between Facebook Ireland and its US parent contains a “robust set” of remedy and oversight provisions.
Dr Joshua P Meltzer, a US-based international trade law professor said, in a report for Facebook, that restricting the ability to move personal data from the EU to the US could negatively affect EU economic growth by between €118-190 billion.
Impact
Those estimates were low because they failed to capture the impact of restricting personal data flows on value-added services trade, he said.
He also believed EU services exports to the US could fall by up to 6.7 per cent and there will be less foreign direct investment in the EU, particularly in data-intensive sectors.
In his report for Facebook, John Delong, a former director of compliance with the US National Security Agency, said US signals intelligence activities provide "significant benefit" to the "safety, security and liberty" of the US and EU.
Ms Cunnane’s affidavit and the two reports were among a range of reports and other materials put before the court to support Facebook’s opposition to the conintuing proceedings by the Data Protection Commissioner.
The case is aimed at having the Court of Justice of the EU (CJEU) decide the validity of European Commission decisions allowing the use by Facebook and others of SCCs (standard contractual clauses) for transatlantic data transfers.
The commisisoner wants the referral before finalising her investigation into a complaint by Austrian lawyer Max Schrems over transfer of his personal data by Facebook Ireland – because its European headquarters are in Ireland – to its parent in the US.
The commissioner has made a draft finding Mr Schrems raised “well-founded” objections to the transfer for reasons including her concerns about the adequacy of protections and remedies in the US concerning breach of data privacy rights of EU citizens.
The commissioner’s case is against Facebook and Mr Schrems but no orders are sought against them and the purpose of the action is to get a referral. The US government is among a number of concerned parties joined to the case as amici curiae, assistants to the court on legal issues.
Concerns
On Wednesday, Brian Murray SC, for the Commissioner, told Ms Justice Caroline Costello the evidence concerning the legal protections available in the US for non-US persons should lead to the judge sharing the commissioner’s concerns and referring the matter to the CJEU.
US law governing the necessary legal standing to get a hearing before the US courts is an “extremely significant obstacle” for non-US citizens seeking to pursue data protection claims and is not the same as mandated under EU law, he said.
The commissioner is also concerned that requirements to notify people their data has been accessed are more limited in the US than the EU, counsel outlined. Without an obligation to notify people their data has been accessed following confirmation such notification will not prejudice any investigations, there is “no effective remedy”, he said.
When examining some of the US law arguments advanced on behalf of Facebook, the court should be struck by how “removed” those are from “any clear authority” establishing the propositions being advanced, he argued.
The case continues on Thursday.