Data watchdog’s ‘blind trust’ criticised by German regulators

German data protection regulators have attacked their Irish colleagues for placing “blind trust” in Facebook’s promises that it processed EU citizen data in the US in line with European law.

The criticism comes ahead of tomorrow’s European Court of Justice ruling on whether the existing “Safe Harbour” arrangement, expediting citizen data transfer between the EU and US, is in line with EU guidelines.

Last week the court's advocate general Yves Bot recommended ruling Safe Harbour "invalid" as a breach of EU law and fundamental rights to data protection and privacy.

Mr Bot disagreed with the the Irish Data Protection Commissioner, which oversees Facebook's international operation in Dublin, that it had no means to intervene when asked to do so by Max Schrems, an Austrian privacy campaigner.

Mr Schrems filed a complaint with the commissioner that Facebook was violating his data and privacy rights following claims by Edward Snowden that it and other US technology companies were obliged, directly or indirectly, to provide US intelligence agencies access to all user data.

The commissioner ruled the case “frivolous and vexatious” but, in a judicial review, the High Court asked the European Court of Justice for clarification on Safe Harbour, which allows US companies self-certify that EU data will enjoy similar standards of protection even when stored by US parent companies.

Irrespective of the Snowden allegations, and ahead of the European Court of Justice final ruling, the Schrems case has exposed Safe Harbour as an "illusion", according to Marit Hansen, data protection regulator for Germany's northern state of Schleswig-Holstein. She also criticised Ireland's commissioner for helping US tech giants based in Dublin maintain that illusion. "The Irish authority took a position of blind trust," said Ms Hansen to Germany's Frankfurter Allgemeine daily.

That criticism is shared by leading European data protection figures, who argue the commissioner needs to become more active in using its powers, even when policing the work of the European Commission.

Jan-Philipp Albrecht, German MEP with the Green Party and a data protection campaigner, said it was “absurd” for the national data protection authorities to defer to the commission in cases like this.

“We expect bodies in individual countries to act because this isn’t just about the rights of Irish citizens but all EU citizens under the charter of fundamental rights,” he said.

Joe McNamee, executive director of the Brussels-based European Digital Rights lobby group, said tomorrow’s ruling could oblige Ireland’s regulator to intervene more rigorously in future if it receives complaints of breaches of EU fundamental rights to privacy and data protection.

“The problem is that the Irish DPC [Data Protection Commissioner] kept to the line of least resistance on this, as it has done on other [data protection] points,” said Mr McNamee. “The question is: does the DPC have to be taken to court to force it to do what it’s there to do?”