Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems
By way of update, the second week of proceedings by the Data Protection Commissioner against Facebook Ireland Limited and Maximilian Schrems commenced on Wednesday 15 February 2017 in the Irish High Court.
For information in relation to the background to this case and a summary of the first week of proceedings, please click on this link.
DPC Opening Statement (continued)
On Wednesday 15 February 2017, Brian Murray SC, acting on behalf of the Data Protection Commissioner (“DPC”) explained why the Court ought to share the DPC’s doubts in relation to the validity of the “standard contractual clauses” (“SCCs”) mechanism under which personal data is currently being transferred from the European Union (“EU”) to the United States (“US”).
Counsel stated that the test for adequacy was one of “essential equivalence” and therefore it does not require that third party countries have identical privacy protections in place when receiving data from the EU. Therefore, US laws must, both in content and in practice, offer equivalent privacy protections. Counsel also argued that the inadequacies in US law generate sufficient doubt and are therefore capable of grounding a well-founded claim for making a Preliminary Reference to the Court of Justice of the European Union (“CJEU”).
The inadequacies which Mr Murray pointed to include the lack of a notification procedure in the US whereby a person can be notified when their data is accessed. Mr Murray stated that without notice, as mandated under EU law, there can be no “effective remedy”. In addition to the lack of a notification procedure, EU citizens cannot bring a Fourth Amendment claim. A Fourth Amendment claim is a constitutional protection afforded to US citizens against unreasonable or warrantless searches of places or seizures of persons or objects (i.e. EU citizens’ communications), where they would have a reasonable expectation of privacy. Furthermore the State Secrets Privilege, a common law privilege which allows the US government to refuse to disclose any information or evidence which may harm national security, can be raised to dismiss lawsuits in the early stages.
In addressing the submissions made by Facebook Ireland Limited, Mr Murray argued that it would be very difficult to state that there are no doubts in respect of the above mentioned inadequacies. He stated that the concerns raised by Facebook Ireland Limited (i.e. the impact to national security and the economy) were not relevant at this point. He argued that the Court should only be concerned with the effect of US laws and whether the essence of EU citizen’s rights have been breached as opposed to focusing on the justifications for limiting such rights.
Mr Murray also stated that SCCs do not resolve the issues of standing for Facebook Ireland Limited’s customers and he rejected Facebook Ireland Limited’s claim that national security does not fall within the ambit of the EU Data Protection Directive 95/46/EU (the “Directive”) because the data is transferred for commercial purposes and not for national security reasons.
Schrems Opening Statement
Mr Eoin McCullough SC, acting on behalf of Mr Schrems, stated that while Mr Schrems agreed with the DPC in relation to the necessity for “essential equivalence” and with regard to the inadequacies in US law, Mr Schrems did not believe it appropriate or necessary to make a reference to the CJEU. Instead he argued that the appropriate step is for the DPC to exercise their powers to suspend the data flow from the EU to the US.
Mr McCullough argued that Mr Schrems’ reformulated complaint did not identify SCCs as the exclusive process used by Facebook Ireland Limited to transfer data to the US and therefore he asked the DPC to investigate the other possible derogations used by Facebook Ireland Limited. He stated that the draft determination did not address these points and therefore, a Preliminary Reference would be “premature and unnecessary” until such time as other possible derogations are addressed.
Facebook Opening Statement
Over the course of Thursday 16 February and Friday 17 February, Paul Gallagher SC, acting on behalf of Facebook Ireland Limited, set out their opposition to the making of a Preliminary Reference to the CJEU. He argued that the DPC’s decision was “deeply flawed”, that US law does provide adequate protection to EU citizens and that there is an extensive network of remedies currently available to EU citizens against Facebook Ireland Limited and Facebook Inc.
Mr Gallagher stated that the DPC is asking the court to endorse their view which is not based on the current legal position reflected in the Adequacy Decision and he stated that there is no basis for having serious doubts about the validity of the SCCs mechanism. He claimed that there were significant failures on the part of the DPC to consider the implications of “Commission Implementing Decision 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU – US Privacy Shield” which found that the US does provide adequate protection.
Mr Gallagher contended that the processing of data, completed in the context of US security, is not governed by the Directive and consequently the issue of adequate remedies raised by the DPC is not relevant. He argued that Member States are not bound by EU law when processing data for national security therefore there is no comparison to be made with the US in relation to notice, access and remedies as they are not mandated by EU law in such circumstances.
Mr Gallagher also set out the “extensive network of remedies” available to Facebook Ireland Limited’s customers. He said that the issue of standing in US law is remedied by giving standing against the exporter (Facebook Ireland Limited) and the importer (Facebook Inc.). The only duties of the importer are to process data for the exporter in compliance with their instructions. Any data subject may bring an action against the data exporter where the data importer breaches these instructions and the applicable law in such circumstances would be the laws of Ireland.
Mr Gallagher warned of the ramifications of an absolute prohibition on the transfer of data which according to Professor Meltzer’s report would see a considerable reduction in the EU’s gross domestic product. He argued that the ramifications of such a reduction would extend to many other small to medium size enterprises who may not have any other legal basis to transfer data outside of the EU.
Application to Submit Affidavits
On Friday 17 February 2017, Business Software Alliance, Digital Europe and the Electronic Privacy Information Centre made an application to have affidavits, from their respective experts, admitted as evidence in the case. Interestingly, the US Government did not seek to have an affidavit from their expert admitted as evidence.
Digital Europe argued that the interests of their members could be severely affected by the ruling. Counsel for Digital Europe said that it was critically important that the interests of persons who use SCCs to transfer data outside of the EU to countries other than the US be put before the court.
Similarly, Business Software Alliance wished to submit evidence on the use of SCCs internationally. They stated that there was no overlap between the experts as Facebook Ireland Limited’s evidence concentrated on the specific use of SCCs. It was argued that there would be a factual deficit without their affidavit.
The DPC opposed all the applications stating that it was clearly contrary to the role of Amicus Curiae and that it would be equivalent to them “launching themselves into the facts”. The DPC further argued that it would be an unjustifiable departure from well-established principles as there was considerable overlap with the evidence already before the court.
Facebook Ireland Limited argued that it was clear that the Electronic Privacy Information Centre’s affidavit provided no new information on US law and said that the evidence was very similar to that provided by Ms Gorski from the American Civil Liberties Union, with whom the Electronic Privacy Information Centre shares a very similar mission.
Mr Schrems, while neutral on the admission of the affidavits, reasoned that in the interest of fairness the Court should take an “all or none” approach as it was evident that the Amicus Curiae were firmly on the side of Facebook Ireland Limited and that Electronic Privacy Information Centre were firmly on the side of the DPC.
On Monday 20 February, Ms Justice Costello refused the applications and in doing so noted that while there was no absolute rule in relation to Amicus Curiae adducing evidence, it would be an exception for the Court to allow the Affidavits to be admitted as evidence. The test for admission is whether the evidence sought to be adduced would further help the Court in making its decision.
The Electronic Privacy Information Centre application was refused on the basis that there were already five expert witnesses called to adduce evidence on US law and as such, the additional evidence was not necessary. Business Software Alliance’s application was refused on the basis that they were able to fulfil their role without adducing additional evidence. Finally, Digital Europe’s application was refused as the present case is only concerned with the transfer of data to the US and not to any other third country.
We will continue to publish further updates on the proceedings as the hearing of the case progresses.