Landmark Safe Harbour case might affect US-European trade
Max Schrems’s case against the Irish Data Protection Commissioner is likely to have profound implications
The original complaint, taken by Austrian law student Max Schrems (above) against Irish Data Protection Commissioner Billy Hawkes (below), argues that the DPC took the wrong decision in refusing to investigate whether Schrems’s Facebook data was given adequate protection
The original complaint, taken by Austrian law student Max Schrems against Irish Data Protection Commissioner Billy Hawkes, argues that the DPC took the wrong decision in refusing to investigate whether Schrems’s Facebook data was given adequate protection in the US under existing “Safe Harbour” data safeguards agreed in 2000 between the US and EU.
Currently, if American companies state they are compliant with Safe Harbour, they are allowed to handle the data of EU citizens.
Schrems’s case turns on the fact that, as revealed by whistleblower Edward Snowden, Facebook and other companies gave data under the Prism scheme to the US National Security Agency (NSA). Privacy advocates say this would violate the Safe Harbour agreement.
High Court Justice Gerard Hogan has referred the case to the ECJ to determine whether, in light of data protections offered to all Europeans under Article 8 the EU Charter of Fundamental Rights, Safe Harbour can be deemed to comply and offer sufficient protection.
“The referral is very interesting because it would mean the ECJ might have to overturn Safe Harbour,” says John O’Connor, partner and head of the Technology and Commercial Contracts Group at Dublin legal firm Matheson.
‘Not fit for purpose’
Given the age of the Safe Harbour agreement and the explosion in internet commerce as well as all forms of trade dependent on data exchange, O’Connor notes Safe Harbour “is probably not fit for purpose” anyway. The old data protection regime where Safe Harbour might have fit in, “just doesn’t fit as well any longer”.
It was also drawn up before the EU Charter of Fundamental Rights was brought in as part of the Lisbon Treaty.
Justice Hogan indicated that a year of revelations on widespread data surveillance by the NSA raised critical concerns about data safeguards.
“It is very difficult to see how the mass and undifferentiated accessing by state authorities of personal data generated perhaps especially with the home . . . could survive [Irish] constitutional scrutiny,” or European privacy guarantees, he wrote in his referral.
“The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life with the home would be immune from potential state scrutiny.” He compared such a situation to that in place in East Germany during the Cold War era.
Safe Harbour “may reflect a somewhat more innocent age in terms of data protection”.
Hogan noted that the DPC had acted rightly and within its limited powers under Irish data protection law. But he said that the case required the consideration by the ECJ of the larger issue of the adequacy of the existing European agreement, even though ostensibly, it is not the specific subject of Schrems’s complaint.