Data commissioner tells court US law fails to protect privacy
Regulator cites lack of access to effective remedies in US if data privacy is breached
Data Protection Commissioner Helen Dixon arriving for the Commercial Court case. Photograph: Eric Luke
The Data Protection Commissioner has reached a provisional view that recent changes in US law fail to adequately protect the data privacy rights of European Union citizens whose personal data is sent to the United States, the Commercial Court has heard.
Commissioner Helen Dixon made her draft finding in May 2016 after receiving independent expert advice on US law, her counsel Michael Collins said.
The commissioner also got “unsolicited” submissions from the US government concerning the new Privacy Shield framework between the European Commission and US, he added.
Before reaching a final view, the commissioner wants the Irish court to ask the Court of Justice of the EU (CJEU) to decide the validity of European Commission decisions approving transatlantic data transfer channels – standard contractual clauses (SCCs) – used by Facebook and others.
The commissioner’s provisional view is the SCCs do not guarantee protection of EU citizens’ data for reasons including the lack of access to effective remedies in the US for breach of data privacy rights.
Her case has potentially enormous consequences for trade between the EU and US and data privacy rights of millions of EU citizens.
It arises from a June 2013 complaint by Austrian lawyer Max Schrems alleging his privacy rights under the EU charter were breached by transfer of his personal data by Facebook Ireland to its US parent Facebook Inc.
The complaint followed revelations by former US National Security Agency (NSA) contractor Edward Snowden of NSA surveillance of certain internet and telecommunications systems operated by companies including Facebook, Microsoft and Google.
After the CJEU determined the existing Safe Harbour regime for EU-US data transfers was invalid because it failed to adequately protect data-privacy rights of EU citizens, the Irish courts directed the commissioner to investigate Mr Schrems’s complaint.
The commissioner made a draft finding in May 2016 that the complaint was “well-founded” but wants a CJEU decision whether the SCCs are valid before finalising her decision.
While her case is against Facebook and Mr Schrems as data sender and complainant, no orders are sought against them and the purpose of the action is to get a referral to the CJEU. The US government is among several parties involved as amici curiae, assistants to the court on legal issues.
Ms Justice Caroline Costello will hear evidence from legal experts on whether protections under US law for EU citizens’ data privacy rights are equivalent to the protections guaranteed under the EU charter and EU law.
On Wednesday, Mr Collins said the commissioner’s view is developments in US law since 2013 do not adequately meet her concerns about deficiencies in US protections for data-privacy rights of EU citizens.
Her view is that while EU citizens are not completely without redress in the US, “specific and general deficiencies” remain and the remedies available are fragmented, incomplete and arise only under certain factual circumstances.
She is also concerned about the difficulties facing EU citizens in getting access to the US courts to seek redress and about restrictive interpretations by the US courts of relevant legislative provisions.
Even if a EU citizen meets the criteria for a remedy for electronic surveillance under the Foreign Intelligence Security Act, it appears, on foot of US court decisions, they cannot sue the US government, Mr Collins added.
Developments since 2013 include a 2014 presidential policy directive 28 (PPD28) by former president Obama setting out “high-level principles” to be observed by intelligence agencies, especially in relation to non-US persons. While such executive or presidential orders have the force of law in the US, they don’t give rise to enforceable rights for parties, Mr Collins said.
The Judicial Redress Act 2013 provided some extension of remedies of the 1974 Privacy Act to some non-US persons in designated countries but the US only last week designated the EU – excluding the UK and Denmark – as covered countries under the Act, he added.
The case continues on Thursday.