A major action by the Data Protection Commissioner aimed at having the Court of Justice of the European Union (CJEU) decide if transatlantic data transfer channels breach privacy rights of EU citizens has opened at the Commercial Court.
The commissioner has formed a “provisional” view there are “deficiencies” concerning the rights of EU citizens to access remedies under US law for any breach of their data protection rights protected by the European Charter, the court was told today.
Michael Collins SC, for Data Protection Commissioner Helen Dixon, said she had also formed the draft view the transatlantic data transfer channels – known as standard contractual clauses (SCCs) – do not provide the level of protection necessary.
If the court shares the commissioner’s doubts, it should ask the CJEU to decide whether those channels are valid and provide adequate protection for the rights of EU citizens, he said. The commissioner was not bringing this case for any vested interest or agenda, he said. Her concern is “simply to get it right”.
Implications
The potentially huge implications of the case for EU-US trade and privacy rights are underlined by the US government’s first ever involvement in litigation in the Irish courts.
The US government will argue “significantly enhanced” protections have been put in place in recent years to ensure privacy rights of EU citizens are not at risk from transatlantic data flows. Any finding by the Irish or European courts that the safeguards are inadequate could have “sweeping” commercial ramifications for data flows and risk undermining international co-operation to confront “common threats”, it claims.
The US government's claims concerning the adequacy of the US safeguards are disputed, including in an expert report to the court by US lawyer Ashley Gorski, of the National Security Project of the American Civil Liberties Union, who will give evidence on Friday.
Among various claims, Ms Gorski argues there is “extremely limited” judicial oversight of actions taken under the US Foreign Intelligence Surveillance Act. That Act provides a low threshold for targeting non-US persons and also includes an exception allowing the US government retain communications of US and non-US persons if it concludes they contain any information broadly considered “foreign intelligence”, she alleges.
The adequacy of the US safeguards, and the effectiveness of remedies for any breach of rights, are key issues in the case, expected to last at least three weeks and cost several million euro.
It concerns transfer of data by Facebook Ireland Ltd (FIL) – Facebook's European headquarters are in Dublin – to its parent company Facebook Inc and whether that transfer is lawful under Irish and EU data protection law.
Ms Justice Caroline Costello will hear evidence from a large number of legal experts from the US and several European countries, including the well-known UK human rights lawyer and author, Geoffrey Roberston QC who has provided an expert report for Facebook.
The case stems from a June 2013 complaint by Austrian lawyer Max Schrems to the commisisoner alleging FIL's transfer of his personal data to the US was unlawful. He made that complaint after former US National Security Agency (NSA) contractor Edward Snowden disclosed documents revealing surveillance by the NSA of certain internet and telecommunications systems operated by companies including Facebook, Microsoft and Google.
Mr Schrems, who is in court today, later took proceedings over the alleged failure by the commissioner to investigate his complaint. That refusal was based on her view she must accept EC decisions on the validity of data transfer channels known as Standard Contractual Clauses (SCCs).
After the Irish High Court referred issues in the case to Europe, the CJEU ruled the Safe Harbour framework used for data transfers was invalid under the EU Charter due to failure to enable EU citizens pursue effective legal remedies in the US over any alleged breach of their EU privacy rights.
The case then returned to the Irish courts and the High Court in October 2015 quashed the commissioner’s refusal to investigate his complaint.
The commissioner opened an investigation into a reformulated complaint and her office made a draft finding in May 2015 that Mr Schrems had raised well-founded objections over whether the data channels breached the date privacy rights of EU citizens.
The commissioner took the current proceedings after deciding she could not complete her investigation without a ruling from the CJEU on the validity of three European Commission decisions of 2001, 2004 and 2010 approving the SCCs.
Concerned parties
Her case is against FIL and Mr Schrems. Several concerned parties, including the US government, have been joined to the case as amici curiae (assistants to the court on legal issues). Other amici include the Business Software Alliance (BSA); the Washington DC based Electronic Privacy Information Centre (EPIC); and Digital Europe, representing digital technology associations and corporations operating in Europe.
Mr Collins stressed today no orders are being sought against Mr Schrems and Facebook and the commissioner’s primary intention in this case is to have the issues referred to the CJEU.
The case continues.