Watchdog takes bizarre legal route in data privacy case
Analysis: Data commissioner takes needlessly costly route in Schrems case
Data Protection Commissioner Helen Dixon. Photograph: Cyril Byrne
One of the most closely watched, internationally significant cases relating to data privacy and commercial activity is currently before the court in Ireland.
The case arises out of last year’s European Court of Justice (ECJ) decision that the ODPC had a duty to investigate Schrems’s complaint against Facebook Ireland regarding the handling of his data in the United States.
In that decision, the ECJ effectively invalidated the old EU/US-agreed Safe Harbour principles. These theoretically ensured European data was given the same protections in the US as under European law but – as the justices rightly noted – was a flimsy construct even before you considered whistleblower Edward Snowden’s evidence of large-scale US surveillance and data-gathering programmes involving companies including, Snowden alleged, Facebook.
In June, the EU confirmed a controversial Safe Harbour replacement, called Privacy Shield, to address the concerns raised in the Schrems decision. Does it? Well, the article 29 working group of Europe’s data protection authorities this week announced continuing reservations with Privacy Shield.
However (and this is where it gets confusing), before going further she asked the Commercial Court here to consider an issue of key import to many international businesses.
This is whether companies could safely opt to use private contracts called model contracts or standard contractual clauses, to exchange data. Facebook used these post-Schrems and pre-Privacy Shield.
Dixon’s draft decision regarding Schrems’s complaint indicates that model clauses are invalid, as they fail to address the same concerns raised by the ECJ over Safe Harbour. Two weeks ago, former US federal trade commissioner Julie Brill – who helped negotiate Privacy Shield – said in Dublin that she doubted model contracts were adequate, given that they were private contracts with little transparency.
Yet model contracts continue to be used by many companies, especially multinationals. Many of these, such as Amazon, told customers that data transfers post-Schrems were covered by model contracts. The European Commission itself said –in a wishy-washy way – that they were too. Probably.
The importance of the model contracts issue and this Irish case is such that the US Government, in a rare move, successfully asked to be appointed ‘amicus curiae’ — an informed advisor — to the court. So too did US privacy organisation the Electronic Privacy Information Centre (EPIC).
But the ODPC has chosen a bizarre route to ask this critical question. Strangely, it is taking a Commercial Court action to request a referral to the ECJ on the point, naming Facebook and Schrems as defendants.
This strategy is baffling (especially naming Schrems as a co-defendant. Why?). Perhaps the ODPC reasoned that the case would be fast-tracked in the Commercial Court. But that has been proven wrong as of this week, when the judge put back the case until February next year, because of the need to find adequate (two weeks) court time. Facebook, predictably, had indicated it needed significant time to prepare its case.
Costly court time
That’s going to be costly time, because the Commercial Court is many times more expensive than other courts.
On past example, costs could be expected to run in excess of a million euro for a two-week case. The entire annual budget of the ODPC is €4million. For Facebook, which earned $18 billion in revenue last year, money isn’t an issue. For the ODPC, (under)funded by taxpayers, it should be.
For Facebook, the delay will no doubt be handy as it builds a case in which it told the court that it intends to dispute the findings of fact for the ODPC’s decision, facts based on Snowden’s damaging accusations. This case, in short, is a rare chance for Facebook to make a very public defence against Snowden’s allegations. No wonder the US government is eager to be involved.
There were better, more cost-effective and faster approaches to decide this issue. The ODPC could have just asked the High Court to advise on its draft decision, and refer a question to the ECJ on model contracts. Or it could have issued a final decision and left Facebook (or Schrems) to appeal to the considerably less expensive Circuit Court, at a cost of about €15,000.
Instead, we are looking at a high-cost decision from the Commercial Court in February. A referral to the ECJ then typically takes another 12-18 months, pushing any model contracts ruling into 2018.
By that point, the whole issue is likely to be moot. Either another country will fast track a model contracts case or the ECJ likely will have heard a challenge to Privacy Shield.
If deemed adequate, Privacy Shield will be the easier, preferable option for data transfers. If inadequate, transatlantic business will be in a state of emergency and model contracts won’t be a reliable answer.