Data watchdog clashes with US over EU citizens’ privacy rights
Commissioner cites defects in US safeguards as case against Facebook Ireland opens
Data Protection Commissioner Helen Dixon brought the case aimed at having the Court of Justice of the EU decide whether transatlantic data transfer channels breach the privacy rights of EU citizens. Photograph: Cyril Byrne
A clash between the Data Protection Commissioner and the government of the United States over the adequacy of US legal safeguards for the data-privacy rights of EU citizens has emerged at the Commercial Court.
Commissioner Helen Dixon has brought a case, with potentially enormous implications for trade and privacy rights of millions of EU citizens, aimed at having the Court of Justice of the EU (CJEU) decide whether transatlantic data-transfer channels breach the privacy rights of EU citizens.
The commissioner has formed a “provisional” view that there are “deficiencies” concerning rights of EU citizens to access remedies under US law for breach of data-protection rights under European law, the court was told on Tuesday.
The significance of the case, listed for three weeks at costs of millions of euro, is underlined by the US government’s first ever involvement in litigation in the Irish courts.
Its lawyers claim “significantly enhanced” protections have been put in place in recent years to ensure privacy rights of EU citizens are not at risk from transatlantic data flows.
Any finding the safeguards are inadequate could have “sweeping” commercial ramifications for data flows and risk undermining international co-operation to confront “common threats”, they argue.
Legal experts from the US and various EU states have provided reports outlining their views on the extent and adequacy of the US protections, including under the Foreign Intelligence Security Act 1978 and US Patriot Act 2001. The power of the US president to make executive orders was also raised during the opening of the case by Michael Collins SC.
The commissioner initiated her proceedings after forming a draft view in 2015, having examined a complaint by Austrian lawyer Max Schrems over his personal Facebook data being transferred to the US, that he had “well-founded” objections that the transfers had breached his privacy rights as an EU citizen.
Mr Schrems complained in June 2013 after former US National Security Agency contractor Edward Snowden revealed surveillance by the agency of certain internet and telecommunications systems operated by companies including Facebook, Microsoft and Google.
The High Court referred issues in the case to Europe and in 2014 the CJEU ruled the Safe Harbour framework for data transfers was invalid under the EU charter due to failure to enable EU citizens pursue effective legal remedies in the US over any alleged breach of their EU privacy rights.
The commissioner’s current case is against Facebook Ireland, because it transfers data from its European headquarters in Dublin to its parent in the US, and Mr Schrems as complainant.
No orders are sought against either defendant and the case is essentially aimed at having the CJEU decide whether three European Commission decisions of 2001, 2004 and 2010, upholding the validity of data-transfer channels, known as standard contractual clauses (SCCs), are valid.
The commissioner’s draft view is the SCCs do not provide adequate protection equivalent to that provided under EU law, Mr Collins said. Her concerns include that certain US statutory provisions provide limited remedies for data-privacy violations, including allowing a remedy for “wilful” violations only.
The commissioner is also concerned US law makes it more difficult for an EU citizen to get the necessary legal standing to be heard by a US court over alleged breach of data privacy rights.
While Facebook argues different levels of protection apply “on the ground” in various EU member states for data transfers within the EU, the issue is whether US law provides EU citizens with equivalent protection and access to court as available under EU law, counsel said.
Several concerned parties are involved in the case as amici curiae, assistants to the court on legal issues. They include the US government; Business Software Alliance (BSA); the Washington DC-based Electronic Privacy information Centre (Epic); and Digital Europe, representing digital technology associations and corporations operating in Europe.
The case continues on Wednesday.