LUXEMBOURG — Irelands data protection authority came under fire during a hearing at the European Court of Justice on Tuesday over its refusal to take a decision on whether Facebook could transfer the personal data of Europeans to the United States.
EU institutions, national governments and industry groups joined Austrian privacy activist Max Schrems and even the Irish government in lining up to criticize the Dublin-based regulator, which had deferred the matter to Irelands highest court.
“The Data Protection Commissioner has the necessary power to suspend or prohibit data flows,” a representative for the Irish government said, referring to Facebooks data transfers to the U.S., which were the subject of a complaint brought by Schrems in 2013. “We acknowledge the difficulty of the task, but it should not mean all standard contractual clauses should be deemed invalid.”
Instead of deciding on the case, the Irish Data Protection Commission (DPC) asked its countrys national courts to determine whether so-called standard contractual clauses — complex legal mechanisms that allow thousands of companies to move data from Europe to the U.S., Asia and elsewhere — were valid.
The Irish High Court then referred the case to the Court of Justice of the European Union (CJEU), which now has to assess whether they violate Europeans fundamental right to privacy, leading to Tuesdays hearing.
In his original complaint, Schrems sought to get Facebook to stop sending Europeans personal data to the United States on the basis that it would be subject to surveillance from intelligence bodies such as the National Security Agency.
“When data is transferred by Facebook to the U.S., the protection is weakened by U.S. law. That is true with any transfer mechanisms, including the Privacy Shield. Its systemic,” his lawyer told a packed room in Luxembourg, where the European Court is based.
The Privacy Shield is a transatlantic data flow agreement allowing companies to transfer European personal data from the EU to the U.S. It replaces the Safe Harbor, which was struck down by the CJEU in late 2015.
Data shutdown fears
Schrems complaint focused squarely on Facebook and the so-called standard contractual clauses it used to transfer personal data to the United States.
But the judges in Luxembourg, whose final decision is expected in early 2020, could make a ruling on the validity of standard contractual clauses in general.
Companies worry that a ruling to invalidate the clauses could turn off data transfers from Europe to the U.S. overnight and affect flows to other parts of the world such as Asia and South America.
“The effect [of an invalidation of standard contractual clauses] on trade would be immense and would have World Trade Organization implications for the EU,” Facebooks lawyer told the court. “There is no evidence that Facebooks transfers are under any particular risks.”
Facebook, which tried unsuccessfully to block the case from being referred to the CJEU, argued the company did not comply with all data access requests made by the U.S. government: “The level of request [by government agencies] is very small compared to the data Facebook has, and Facebook carefully scrutinizes those requests for legal validity.”
Both the tech giant and the U.S. government made the argument that ruling on a foreign surveillance regime is not within the courts scope. Europes sweeping privacy reform — the General Data Protection Regulation — does give the EU the mandate to “conduct a worldwide inquiry” of surveillance regimes across the world, a representative for the U.S. government said.
Meanwhile, the Irish regulator argued that the European court should invalidate standard contractual clauses because they do not offer sufficient remedies for users whose data have been collected by U.S. intelligence agencies.
Ganging up against the DPC
Schrems had originally complained to Irelands DPC, which is in charge of Facebook given the location of the companys European headquarters in Dublin.
The regulator questioned the validity of standard contractual clauses in general, and the High Court asked the CJEU to rule on the compliance of such mechanisms in general with the Charter of Fundamental Rights.
But the Austrian activist did not want to question the validity of all standard contractual clauses.
“We agree with the DPC [on U.S. surveillance], but not on the radical solution. The solution is not for the court to invalidate standard contractual clauses but for the Data Protection Commissioner to enforce them,” his lawyer said.
The European Commission, EU governments and tech lobby BSA-The Software Alliance, which reRead More – Source