Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems
By way of update, the third week of proceedings by the Data Protection Commissioner (“DPC”) against Facebook Ireland Limited and Maximilian Schrems commenced on Monday 20 February 2017 in the Irish High Court.
For information in relation to the background to this case and a summary of the first and second weeks of proceedings, please click on the following links:
DPC Expert Witness - Professor Neil Richards
Over the course of Monday 20 February 2017 and part of Wednesday 22 February 2017, the DPC’s first witness, Professor Neil Richards provided the Court with a summary of the conclusions of his report on US privacy law. Prof Richards, of Washington University, is an expert in US privacy law and First Amendment law (in this context the First Amendment relates to the right of free speech).
The primary conclusions drawn by Prof Richards on US data protection and privacy law were similar to those drawn by the DPC in her draft decision. In agreeing with the DPC’s characterisation of US law, Prof Richards told the court that US judicial remedies are fragmented and subject to individual limitations. He similarly agreed that the issues of notice and standing to bring a case before the US courts, while not fatal, nevertheless constitute substantial obstacles to litigants challenging the breach of their privacy rights.
In addressing the issue of standing, Prof Richards commented that the standing doctrine is “notoriously indeterminate”. He stated that in order to establish standing one must satisfy the following three elements of proof:
- Injury in fact;
- Causation; and
He further stated that while privacy claims are not barred, the injury in fact requirement makes it more difficult for the courts because of the intangible nature of privacy rights. This is because in order for a litigant to satisfy the injury in fact requirement, they must prove that they either suffered or would imminently suffer a harm which is “concrete and particularised” and “actual or imminent”. The harm cannot be conjectural or hypothetical. Prof Richards explained that there is a great deal of uncertainty in case law with regard to assessing the standard of harm for the breach of such rights as a result of the injury in fact requirement. While some courts have found that the mere interference of a person’s data will constitute harm, Prof Richards does not believe that this disturbs his general conclusion that the standing doctrine requires something in addition to actual interference in order to establish injury in fact.
However, in his report Prof Richards did not consider the remedies available to EU citizens against private US members nor did he consider the remedies available to EU citizens against individual Member States’ governments.
Prof Richards accepted that significant issues arise when giving notice, particularly in the context of intelligence and that it is recognised under the Ombudsperson mechanism in the Privacy Shield that notice will not be given where data is intercepted. He also agreed that there have been a number of advances in privacy law in the US and that surveillance reforms were undertaken in the latter part of the Obama administration.
DPC Expert Witness - Mr Andrew Serwin
Over the course of Wednesday 22 February 2017 and Thursday 23 February 2017 the DPC’s second witness Mr Andrew Serwin presented his evidence to the Court. Mr Serwin, a partner in the US law firm Morrison and Foerster LLP specialising in privacy and data security practice, prepared a report for the DPC outlining the potential causes of action for an EU citizen against the US government should their privacy and data protection rights be the subject of a breach.
In his report, Mr Serwin set out the contours and limits of US law and he focused on the remedies directly accessible to EU citizens. He told the Court that he did not address the oversight procedures and safeguards in his report nor did he assess the indirect causes of action which may be available to EU citizens as they were not central to his report. The main conclusion from his report was that there are certain claims available to US citizens that were not available to EU citizens. He added that, while there has been considerable change in recent case law to the standing doctrine, the Supreme Court has not expanded the doctrine but rather there has been a narrowing of the standing doctrine and as a result, it is more difficult for EU citizens to access remedies for a breach of their data protection rights in the US. Mr Serwin also argued that surviving a motion to dismiss based on lack of standing is not a remedy.
Under cross-examination by Ms Niamh Hyland, counsel for Facebook Ireland Limited, Mr Serwin stated that he did not include the Administrative Procedures Act (the “APA”), a statute identified in a number of the other expert reports submitted to the court in these proceedings, in his report due to its “mixed history” (i.e. it is often unsuccessfully raised). Mr Serwin explained he does not view the APA as being a primary remedy. He also stated that in his report to the DPC, he provided a “non-inclusive” list of potential remedies.
Counsel for Facebook Ireland Limited questioned Mr Serwin as to whether he had asked the DPC if she would seek submissions from Facebook and Mr Schrems on the matter and whether the DPC should have looked at the submissions from the US government, in such circumstances where the Commissioner was coming to a view on the adequacy of US law in reliance on his opinion. Mr Serwin told the court that he had not asked the DPC on such matters and was not surprised that the DPC did not disclose to him that they had been provided with material from the US Government as in the normal circumstances of a case he would not expect this to occur.
We will continue to publish further updates on the proceedings as the hearing of the case progresses.