Data Protection Commissioner fights US over EU data privacy rights
Commissioner Helen Dixon has brought a case with potentially enormous implications for trade and privacy rights of millions of EU citizens, aimed at having the Court of Justice of the EU (CJEU) decide whether transatlantic data transfer channels breach the privacy rights of EU citizens.
Ms Dixon formed a “provisional” view that there are “deficiencies” concerning rights of EU citizens to access remedies under US law for breach of data protection rights under European law, the court was told yesterday.
The significance of the case, listed for three weeks at costs of millions of euro, is underlined by the US government’s first involvement in litigation in the Irish courts.
Its lawyers claim “significantly enhanced” protections have been put in place in recent years to ensure privacy rights of EU citizens are not at risk from transatlantic data flows.
Any finding that the safeguards are inadequate could have “sweeping” commercial ramifications for data flows and risk undermining international co-operation to confront “common threats”, the lawyers argue.
Legal experts from the US and various EU states have provided reports outlining their views on the extent and adequacy of the US protections, including under the Foreign Intelligence Security Act 1978 and US Patriot Act 2001.
The power of the US president to make executive orders was also raised during the opening of the case.
Ms Dixon initiated her proceedings after forming the draft view in 2015, having examined a complaint by Austrian lawyer Max Schrems over personal Facebook data being transferred to the US, that he had “well-founded” objections the transfers breached his privacy rights as an EU citizen.
Mr Schrems complained in June 2013 after former US National Security Agency (NSA) contractor Edward Snowden revealed surveillance by the NSA of certain internet and telecoms systems operated by companies including Facebook, Microsoft, and Google.
The Irish High Court referred issues in the case to Europe and in 2014 the CJEU ruled the Safe Harbour framework for data transfers was invalid under the EU Charter due to a failure to enable EU citizens pursue effective legal remedies in the US over alleged breach of their EU privacy rights.
Ms Dixon’s current case is against Facebook Ireland, because it transfers data from its European headquarters in Dublin to its parent in the US, and Mr Schrems as complainant.
No orders are sought against either defendant and the case is essentially aimed at having the CJEU decide whether three European Commission decisions of 2001, 2004, and 2010, upholding the validity of data transfer channels, known as standard contractual clauses (SCCs), are valid.
Ms Dixon’s draft view is the SCCs do not provide adequate protection equivalent to that provided under EU law.
While Facebook argues different levels of protection apply “on the ground” in various EU member states for data transfers within the EU, the issue is whether US law provides EU citizens with equivalent protection and access to court as available under EU law, counsel said.
The case continues today.
