US data safeguards equivalent to EU rules, Facebook court told

American professor says US system both effective and adequate

Max Schrems, the Austrian student who complained to the Data Protection Commissioner about Facebook’s treatment of his data. Photograph: AFP

Max Schrems, the Austrian student who complained to the Data Protection Commissioner about Facebook’s treatment of his data. Photograph: AFP

 

Safeguards and remedies available in the US related to the data privacy rights of EU citizens are at least equivalent to, if not greater than, those provided by the EU, according to a report from a US law professor.

In his report to the Commercial Court prepared on behalf of Facebook, Prof Peter Swire said a combination of systemic safeguards and remedies in the US are effective and adequate.

The transatlantic data transfer channels being considered by the court, known as standard contractual clauses (SCCs), are necessary in a democratic society to protect national security and for personal well-being and are in accordance with law, he states.

The report by Prof Swire, professor of law and ethics at Georgia Institute of Technology, Atlanta, and a member of former US president Barack Obama’s review group on intelligence and communications technology, was referred to late on Thursday by Michael Collins SC in his continuing opening of the action by the Data Protection Commissioner concerning SCCs.

The commissioner wants Ms Justice Caroline Costello to refer for determination by the Court of Justice of European Union (CJEU) the validity of European Commission decisions allowing the use of SCCs for transatlantic data transfers.

The commissioner wants the referral before finalising her investigation into a complaint by Austrian lawyer Max Schrems over the transfer of his personal data by Facebook Ireland, because its European headquarters are in Ireland, to its parent in the US.

Draft finding

The commissioner has made a draft finding that Mr Schrems raised “well-founded” objections for reasons including concerns about the adequacy of protections and remedies in the US concerning breach of data privacy rights of EU citizens.

The commissioner’s case is against Facebook and Mr Schrems but no orders are sought against them and the purpose of the action is to get a referral. The US government is among a number of concerned parties joined to the case as amici curiae, assistants to the court on legal issues.

On Thursday, Mr Collins said the commissioner considered the European Commission’s approval last year of the EU-US Privacy Shield does not remove the need for a CJEU determination on the validity of the SCCs. Facebook argues otherwise, he said.

Facebook continues to use SCCs for data transfers and also uses the Privacy Shield framework and SCC transfers remain lawful as long as the SCC decisions remain in place, he added.

Some organisations may sign up to the Privacy Shield while others may not, and this case is about the SCC decisions, he said.

An ombudsperson who is independent of the US intelligence community but still a public servant responsible to the US secretary of state is provided for under Privacy Shield, he said.

Referring to the European Parliament having voted through tougher data protection rules in April 2016, counsel said the “bar will be higher” for privacy in Europe from 2018. It will have to be seen whether Privacy Shield will meet the requirements of the new general data protection regulation and other measures such as a new data protection directive, he added.

The case continues on Friday.