The last two weeks have seen significant developments on both sides of the Atlantic in legal cases concerning international data privacy law. First, the judgment in Microsoft’s appeal against the US Department of Justice was handed down by a court in New York. Then, earlier this week, the ongoing actions involving the Irish Data Protection Commissioner, Max Schrems and Facebook was again before the High Court in Dublin.
Aside from the fact that both cases address significant multi-jurisdictional issues of privacy law, a common feature of the cases is that both have involved national governments intervening in non-domestic proceedings by filing amicus curiae briefs with the relevant Courts.
Amicus curiae literally translates to “friend of the court”. By way of this process, interested parties can submit briefs to assist the Court in grasping the broader implications of judgments beyond those directly impacting the litigants. Generally, admission as an amicus requires a party to demonstrate a genuine, legitimate interest in the issues raised.
Amicus curiae applications are relatively uncommon in Ireland and interventions by national governments in this manner are especially rare. That two national governments have become involved in data privacy litigation in another jurisdiction in quick succession demonstrates the seriousness of the matter from their perspective.
Cases and Applications
The Microsoft appeal concerned emails stored on a server in Dublin. A New York district court judge had issued a warrant for disclosure of the emails for the purposes of an investigation in the US. Microsoft refused to comply with the warrant, arguing that the data was held outside of the jurisdiction and was therefore outside of the NY Court’s remit.
The Irish Government filed a brief with the US Court of Appeal in support of Microsoft’s position. The brief emphasised Irish sovereignty and pointed out that there were international treaties for obtaining evidence from abroad. On 14 July 2016, the New York Court handed down its decision, siding with Microsoft. In finding for the company, the Court decided that US warrants are limited in scope to US soil. Irish sovereignty had to be respected, and proper channels must be used to obtain cross-border evidence. Even if Microsoft could access the emails from the US, the data was stored beyond the reach of US law. The result, coming as it does shortly after the adoption of the EU-US Privacy Shield, which was adopted on 12 July 2016, is a positive development in light of the concerns about excessive US surveillance of personal data previously expressed in the Schrems case last October.
The separate case before the Irish courts comes on the back of the original complaint by Max Schrems to the Irish Data Protection Commissioner, which resulted in the invalidation of the Safe Harbour regime (which had allowed for flows of personal data from the EU to the US) by Court of Justice of the European Union (“CJEU”) in October. The current iteration of the case before the High Court concerns the validity of transfers of personal data to the US on the basis of “standard contractual clauses”. A core issue is whether the standard contractual clauses can offer adequate protection for personal data against a backdrop of broad US surveillance programmes, with the Irish Data Protection Commissioner seeking a referral to the CJEU for a determination on the point.
On 19 July 2016, in the High Court in Dublin, Judge Brian McGovern granted an application by the US Government to be joined to the Schrems case as an amicus curiae. Judge McGovern said he was satisfied that the US had a “significant and bona fide interest” in the outcome of the case. He noted that US surveillance law is a substantial issue, and the judgment will significantly affect US businesses. He also granted requests by EPIC (a US privacy watchdog), the Business Software Alliance ("BSA"), and Digital Europe to be included as amicii curiae. He refused requests to join from the Irish Business and Employers Confederation, IHREC, American and Irish Civil Liberties organizations, the EFF, and privacy activist Kevin Cahill.
The amicus applications reflect the growing importance to both business and governments on both sides of the Atlantic of data transfers and exchange, and hence of data regulation. There are real risks to businesses in both Europe and the US if such flows cannot continue. The BSA estimates a negative judgment in the latest Schrems case could cost the EU €143 billion per year – 1% of its total GDP.
As such, governments are understandably wary about leaving the fight solely to litigants. This goes beyond political posturing – the first Schrems case was a significant challenge for international data controllers, who instead were reliant to a significant degree on the standard contractual clauses to facilitate transfers to the US. That said, the decision in Schrems has led to significant written undertakings and movement from the US in relation to rights of redress and restrictions on surveillance, as reflected in the EU-US Privacy Shield. It is hoped that in light of those developments, and the amicus standing of the US in the case, the CJEU will be in a position to make a determination in the current proceedings which will permit the continued use of standard contractual clauses, with a consequent boost to the US-EU Privacy Shield.