High Court approves US bid to join data privacy case

A High Court judge has granted an unprecedented application by the US government to be joined to a major legal action here over whether existing EU-US data transfer channels unlawfully breach the privacy rights of EU citizens.

He was satisfied the US government has a “significant and bona fide interest” in the outcome of the case, Mr Justice Brian McGovern said.

He today gave his reserved judgment on applications by the US government and several other parties to be joined as amicii curiae (assistants to the court on legal issues) to the action by the Irish Data Protection Commissioner aimed at deciding the validity of channels, known as Standard Contractual Clauses (SCCs), being used for daily EU-US data transfers.

The Commissioner wants the validity of the channels referred by the High Court to the Court of Justice of the EU (CJEU) for determination. Unless a party has been joined by the Irish High Court, it cannot participate in any reference to the CJEU. Today, the judge said he would join the US government as amicus because it has a “significant and bona fide interest” in the outcome. At issue is the assessment, as a matter of EU law, of the US’ law governing transfer of EU citizens’ data to the US, he said.

The imposition of restrictions on the transfer of such data would have potentially considerable adverse effects on EU-US commerce, could affect US companies significantly and he was satisfied the US could bring “added value” to the case.

He also joined US-based data privacy watchdog, EPIC (Electronic Privacy Information Centre), on the basis it could offer a “counter-balancing perspective” from that of the US government concerning the position in the US.

EPIC claims to be the leading privacy and freedom of information organisation in the US with special expertise in government surveillance and related legal matters, he noted.

Also joined was the Business Software Alliance, a global trade association whose application was supported by the American Chamber of Commerce Ireland. The BSA's members include internet giants such as Apple and Intel, as well as smaller entities, and he considered it could provide relevant views not otherwise available to the court.

Joining Digital Europe, he said it is the principal representative body on matters for EU policy for members of the digital technology industry in Europe and many of its members have an interest in and will be affected by the decision made in the case. He was satisfied it can assist the court.

Hr refused to join the Irish Business & Employers Confederation, the representative group for Irish business, after finding it could not add anything to assist the court.

Refusing to join the Irish Human Rights & Equality Commission, the judge said the Data Protection Commissioner has a particular statutory remit in relation to issues of data protection and is the designated national supervisory authority for monitoring the application of the relevant EC Directive in relation to protecting the data privacy of individuals. He was not satisfied the IHREC could offer assistance that cannot be offered by the Commissioner.

He also refused to join the American Civil Liberties Union/Irish Council for Civil Liberties; another US-based data privacy watchdog, the Electronic Frontier Foundation; or UK-based data privacy campaigner Kevin Cahill on grounds including his view they would not offer any particular assistance or a different perspective not already available.

In a draft finding last May, Commisisoner Helen Dixon found Austrian lawyer Max Schrems had raised "well-founded" objections to the validity of the SCCs. A "Privacy Shield", adopted by the European Commission earlier this month following discussions between the EU and US, may affect the wording of any referral. The SCCs were approved under European Commission decisions of 2001, 2004 and 2010 but doubts about their validity have mounted after disclosures about US mass surveillance by Edward Snowden and since the CJEU last year struck down the 15-year-old Safe Harbour arrangement for EU-US data transfers. The Commissioner's case is against Facebook Ireland, because Facebook's European headquarters are here, and Mr Schrems because she considers they are the appropriate parties to address the relevant issues arising from Mr Schrems' complaint.

The case raises significant issues concerning surveillance by US national security agencies and whether US law provides an adequate remedy for any breach of privacy rights of EU citizens. The BSA has claimed, if the existing channels are ruled invalid, that could cost losses to the European economy of €143 billion a year. The judge has adjourned the case to Monday when he will hear an application by Mr Schrems for a protective costs order which, if granted, would mean Mr Schrems would not be exposed to costs of the litigation.

The judge will also make directions on Monday for exchanging legal documents for the hearing of the application for a reference to the CJEU.

“The fact that the US government intervenes in this lawsuit, shows that we hit them from a relevant angle,” Mr Schrems said in a statement. “The US can largely ignore the political critique on US mass surveillance, but it cannot ignore the economic relevance of EU-US data flows. The solution of this issue can however not be that the EU waives its fundamental rights, but that the US gives proper legal protection to the data of foreigners, when they use US services. Especially as ‘cloud’ services are promoted, the US government has to ensure proper protection of stored information.”

He said he hoped the technology industry in the US would also push in this direction as a result.