Irish data protection case ‘of the utmost importance’ to US

Application by US to join High Court action following Max Schrems claims over validity of data transfers between EU and US

 Austrian Max Schrems  complained Facebook Ireland was transferring his data via SCCs to servers located in the US, where it was being processed, without ensuring sufficient protection for it as required under the Charter of Fundamental Rights of the EU.

Austrian Max Schrems complained Facebook Ireland was transferring his data via SCCs to servers located in the US, where it was being processed, without ensuring sufficient protection for it as required under the Charter of Fundamental Rights of the EU.

 

The US government has said the Irish Data Protection Commissioner’s action querying the validity of the main channels being used for EU-US data transfers is “of the utmost importance to the United States and to the broader public”.

An unprecedented application by the US to join the High Court action will be heard next month alongside similar applications by major Irish, European and US business and civil liberties organisations.

Commissioner Helen Dixon initiated the case following her draft finding last month that Austrian student Max Schrems had raised “well-founded objections” to the validity of EU-US data transfer channels, known as Standard Contractual Clauses (SCCs).

Max Schrems complaint

Mr Schrems complained Facebook Ireland was transferring his data via SCCs to servers located in the US, where it was being processed, without ensuring sufficient protection for it as required under the Charter of Fundamental Rights of the EU.

Use of SCCs has been approved under various European Commission decisions but concerns whether SCCs accord with data protection rights of EU citizens have mounted since the Court of Justice of the EU (CJEU) last year struck down the previous EU-US Safe Harbour data transfer arrangement.

The CJEU ruling was based on the indiscriminate and mass nature of US surveillance and a finding EU citizens had no effective remedy under US law for breaches of their privacy rights.

After a seven-month investigation, Ms Dixon has made a draft finding SCCs also breach privacy and data protection rights of EU citizens.

In her proceedings against Facebook Ireland (because Facebook’s European headquarters is based in Dublin) and Mr Schrems, the commissioner wants the High Court, if it shares her doubts about the validity of the SCCs, to ask the CJEU to decide that issue.

Hearing fixed

The case was briefly mentioned on Monday before Mr Justice Brian McGovern who fixed July 7th to hear applications to be joined to it as amicus curiae (assistant to the court on legal issues). Some joinder applications are being contested, the court was told.

Ronan Lupton BL, for Digital Rights Ireland, said, due to opposition from Mr Schrems, DRI was not pursuing its joinder application.

The judge will hear joinder applications by the US government; Business Software Alliance (supported by the American Chamber of Commerce in Ireland*); Irish Business and Employers Confederation and Digital Europe, representing the European digital technology industry.

A further application is jointly brought by the American Civil Liberties Union and Irish Council for Civil Liberties. The Electronic Frontier Foundation and EPIC (Electronic Privacy Information centre), both US based data privacy watchdogs, are also among those who want to be joined.

“Utmost importance”

US attorney Donna Chapin, of the US Department of Justice, said in a sworn statement the case was of the “utmost importance” to the US government as it raises issues concerning the legality, as a matter of EU law, of the present regime governing transfer of EU citizens data to the US, “and the circumstances in which such data are accessed and processed on law enforcement and national security grounds”.

The US was best placed to provide an “accurate, up to date and comprehensive account” of the relevant US legal regime concerning access to data by government authorities, including available redress measures, she said.

The new Privacy Shield Framework negotiated by the EU and US, and any adoption of a draft European Commission decision of February 2016 which concluded the US regime meets the requisite test for an “adequate level of protection”, may have considerable implications for the case, she believed.

While it was premature at this stage for the US to commit to defining the particular matters it proposes to comment upon, it did want to make submissions on the commissioner’s draft decision, she said.

Privacy Shield

The commissioner had said she had received unsolicited submissions last month from the US concerning the Privacy Shield framework but had formed her own “independent view” after seeking independent expert advice on cetrian matters of US law but that advice had not so far been seen by the US government, Ms Chapin said.

In the joint ICCL/ACLU joinder, the ACLU said it has “deep concern” about the possibility of rights violations associated with the US government’s “mass surveillance”, plus the “great difficulty” of getting “meaningful redress” for such violations.

The BSA said SCcs provide the legal foundation for millions of daily data transfers to countries outside the European economic area and thousands of European and non-European companies rely on them to transfer customer data to locations outside Europe, including the US.

If SCCs were unavailable, using a smartphone to send an email or withdrawing cash from an ATM would become “nearly impossible”, it said.

Ibec said Irish businesses, including those using “cloud-based” data storage solutions offered by entities using SCCS, stand to be very significantly affected by any decisions in the case.

*This article was edited on June 29th 2016