US government asks High Court to refuse Facebook case referral
Data commissioner wants EU court to decide on EU-US data transfers
Data Protection Commissioner, Helen Dixon Photograph: Eric Luke
The US government has urged the High Court to refuse the Data Protection Commissioner’s bid to have the Court of Justice of the EU (CJEU) decide issues with potentially enormous consequences for EU-US data transfers.
Eileen Barrington SC, for the US, said the commissioner’s “unique”, “unusual” and “unprecedented” application for a reference to the CJEU was based on the commissioner’s “fatally flawed” draft finding concerning adequacy of remedies available in the US for breach of data privacy rights of EU citizens.
This application was of “critical significance” to the US for legal and commercial reasons and should be dismissed for reasons including that it had been “entirely overtaken by events”, particularly the 2016 agreement between the European Commission and US on the Privacy Shield framework for EU-US data transfers.
Ms Barrington was also instructed it was “inconceivable” to suggest measures governing activities of the US intelligence community could just “disappear” or be “surreptitiously revoked” by orders or measures of the US executive. She was making submissions in the continuing action by commissioner Helen Dixon, brought after she reached a draft finding in May 2016 that Austrian lawyer Max Schrems had “well-founded” objections concerning transfer of his personal data by Facebook Ireland to its US parent, Facebook Inc.
The draft finding was based on the commissioner’s assessment of adequacy of remedies available in the US for breach of data privacy rights of EU citizens.
Standard contractual clauses
The case is against Facebook and Mr Schrems but its essential purpose is to have the CJEU decide whether EC decisions approving use of standard contractual clauses (SCCs) for EU-US data transfers are valid or otherwise.
On Thursday, Ms Barrington began her submissions for the US government in its role as an amicus curiae or assistant to the court on legal issues.
This case is unique and unprecedented as it involves an EU member state being asked to review laws of a third country and to assess their adequacy in terms of EU law, counsel said. The US “is not just any third country” and already benefits from adequacy decisions adopted by the European Commission
The commissioner had “strikingly failed” to identify and fully consider the extent of remedies available, she said. The “uncontroverted” evidence from a US law expert for Facebook, was that the overall remedies available in the US were greater than those available in individual EU member states.
When the CJEU previously struck down the Safe Harbour agreement on data transfers after the High Court referred earlier issues in Mr Schrems’ case, both the High Court and CJEU proceeded on the basis of an “incomplete” picture of the US regime, she said. The US is “extremely anxious” to ensure that would not happen again. If the High Court did refer to the CJEU, and the US argued it should not, then the US was anxious the “full panoply of protections” should be comprehensively outlined to the CJEU.
Various “systemic” reforms were made after the Edward Snowden disclosures which were not considered during the earlier CJEU case, she added.
If the High Court decided to consider the adequacy of US law, although the US maintained it should not, it must look at the totality of protections available in the US and not just address the issue from the “narrow perspective of judicial decisions”. If it did so, it must conclude the remedies are adequate.
The commissioner had not considered submissions from the US government concerning Privacy Shield or sought submissions from the US government on US law before making her draft finding. The commissioner’s side said her concern was “to get it right” and she was not advocating a particular result but the case had “taken on all the hallmarks of adversarial proceedings”.
Earlier, Michael Cush SC, made submissions for another amicus curiae, Digital Europe, representing the European digital technology industry. He argued the case had potentially enormous adverse consequences for the digital industry if it led to any interruption of transatlantic data transfers. The commissioner’s decision was wrong and involved an incorrect application of Articles 25 and 26 of the European data privacy directive, he submitted.
The case continues.