Data commissioner in privacy rights clash with US government
Case is America's first involvement in litigation in the Irish courts
A clash between the Data Protection Commissioner and the US government over the adequacy of US legal safeguards for the data privacy rights of EU citizens has emerged at the Commercial Court.
The significance of the case is underlined by the US government's first ever involvement in litigation in the Irish courts and has potentially enormous implications for trade and privacy rights of EU citizens.
Commissioner Helen Dixon has brought a case aimed at having the Court of Justice of the EU (CJEU) decide whether transatlantic data transfer channels breach the privacy rights of EU citizens.
The commissioner has formed a "provisional" view there are "deficiencies" concerning rights of EU citizens to access remedies under US law for breach of data protection rights under European law, the court was told yesterday.
Its lawyers claim "significantly enhanced" protections have been put in place in recent years to ensure privacy rights of EU citizens are not at risk from transatlantic data flows.
Any finding the safeguards are inadequate could have "sweeping" commercial ramifications for data flows and risk undermining international co-operation to confront "common threats", they argue.
Legal experts from the US and various EU states have provided reports outlining their views on the extent and adequacy of the US protections. The power of the US president to make executive orders was also raised during Maurice Collins's opening of the case.
The commissioner initiated her proceedings after forming a draft view in 2015, having examined a complaint by Austrian lawyer Max Schrems over his personal Facebook data being transferred to the US, he had "well-founded" objections the transfers breached his privacy rights as an EU citizen.
Mr Schrems complained in June 2013 after former US National Security Agency (NSA) contractor Edward Snowden revealed surveillance by the NSA of certain internet and telecommunications systems operated by firms such as Facebook, Microsoft and Google.
The High Court referred issues in the case to Europe and in 2014 the CJEU ruled the Safe Harbour framework for data transfers was invalid under the EU Charter.
The commissioner's current case is against Facebook Ireland, because it transfers data from its European HQ in Dublin to its parent in the US, and Mr Schrems as complainant. No orders are sought against either defendant and the case is essentially aimed at having the CJEU decide whether three European Commission decisions of 2001, 2004 and 2010, upholding the validity of data transfer channels, known as standard contractual clauses (SCCs), are valid.
The commissioner's draft view was the SCCs do not provide adequate protection equivalent to that provided under EU law, Mr Collins said. Her concerns include that certain US statutory provisions provide limited remedies for data privacy violations, including allowing a remedy for "wilful" violations only.
The commissioner is also concerned US law makes it more difficult for an EU citizen to get the necessary legal standing to be heard by a US court over alleged breach of data privacy rights.
Facebook argues different levels of protection apply "on the ground" in various EU member states. The case continues.