Austrian student’s ‘case of great principle’

Anyone hoping for a quiet few hours at Luxembourg’s European Court of Justice (ECJ) yesterday went home disappointed. What could have been a dry discussion of 15- year-old EU legislation instead became something far more compelling.

Perched on Luxembourg's Kirchberg, the golden courtroom was packed with 14 legal teams, including four from Ireland. As lunchtime neared, hunger was soon forgotten as legal counsel for the European Commission was subjected to a pitiless cross-examination by judges at the EU's highest court.

By 1pm yesterday, what began as Austrian law student Max Schrems nagging Ireland's data privacy police to investigate Facebook International in Dublin had snowballed into what one ECJ judge yesterday dubbed a "case of great principle".

The principle: what has become of the fundamental right of all EU citizens to privacy in the era of Facebook and the NSA?

In a slow and tormenting legal striptease, ECJ judges finally got the European Commission counsel Bernhard Schima to admit that so-called "Safe Harbour" principles on what happens to EU citizens' data in the US are not very safe at all.

Facebook

“Let’s imagine I am on Facebook and I decide my rights have been breached,” said advocate general

Yves Bot

. “If I don’t see the [European] commission taking action, what recourse do I have open to me?”

After some hemming and hawing, European Commission counsel Bernhard Schima said: “You might consider closing your Facebook account and revoking your consent.”

Judge Bot replied drily: “I anticipated that problem by never opening a Facebook account.”

That the EU executive advised self-help over Brussels help in securing privacy was a telling moment in this complex case. Another key question for all participants was whether citizens can turn to their national data protection bodies if they feel the commission has failed them?

Yes, say the legal teams for Max Schrems and Digital Rights Ireland. Counsel from Belgium and Austria backed their view, particularly given "blatant interference" by US intelligence in data collection as alleged by Edward Snowden allegations.

“If that is not considered sufficiently serious interference, one might wonder what is a sufficiently serious interference,” said Jean-Christophe Halleux for Belgium.

Austrian counsel said national data protection commissioners (DPCs) were obliged to intervene to defend citizens' rights to privacy and, where necessary, to "take restrictive measures" on data transfer. The 15-year- old Safe Harbour provisions, Austrian counsel Gerhard Kunnert said, lacked legal teeth.

“It could be said that the safe harbour is not a safe harbour for data of EU citizens, but a safe harbour for pirates,” he said.

UK counsel disagreed that national DPCs should get involved and backed the Irish state and Irish DPC positions. The lead role in “Safe Harbour” lies with the commission and it was inappropriate for the ECJ to “supplant” ongoing EU-US talks on new rules.

Fundamental rights

But what chance does the commission have of securing a robust new privacy arrangement with the US that respects fundamental privacy rights? No chance said Mr

Herwig Hoffmann

, counsel for Max Schrems.

The US wields secretive and indiscriminate powers to collect data, he said, and had never offered Brussels any commitments to guarantee EU privacy standards for its citizens’ data. On the contrary, said Mr Hoffmann, “Safe Harbour” provisions could be overruled by US domestic law at any time.

Thus he asked the court for a full judicial review of the “illegal” Safe Harbour principles which, he said, violated the essence of privacy and left EU citizens “effectively stripped of any protection”.

DPC counsel Paul Anthony McDermott SC suggested that Mr Schrems had not been harmed in any way by the status quo.

“This is not surprising, given that the NSA isn’t currently interested in the essays of law students in Austria,” he said.

Mr Travers for Mr Schrems disagreed, saying "the breach of the right to privacy is itself the harm".

Clarity and guidance

Though Ireland’s DPC was listed as one of the main parties, attention shifted only briefly to it and to Ireland’s reputation as being “soft” on data protection. How many lawyers, one judge wanted to know, did the Irish DPC employ? Neither counsel for the DPC nor Ireland were able to say for sure.

Mr Fennelly SC for Ireland insisted that Ireland applies data protection rules in the same way as all EU member states but said it would "welcome clarity and guidance" on issues before the court.

Clarity will come with the ECJ’s verdict on June 24th. Until then, the man who started the EU privacy ball rolling was satisfied with yesterday’s hearing.

“The Irish DPC and the European Commission are the ones on trial here,” said Max Schrems, “for not taking these issues seriously.”