“We are proposing a measured solution…”
Privacy lawyer and activist Max Schrems wants the Privacy Shield data sharing agreement between the EU and the US struck down. Today Europe’s highest court will hear his argument.
The case has its roots in a complaint made by Schrems against Facebook in 2013. The complaint specifically seeks to stop EU-US data transfers by Facebook Ireland Ltd., and was triggered by the Edward Snowden revelations that Facebook allows the US intelligence services to access the personal data of Europeans under surveillance programs like “PRISM”.
Ahead of tomorrow's @EUCourtPress Hearing on #PrivacyShield and #SCCs a bit of summary on this (very complicated) procedure and the positions (spoiler: We argue the *middle* ground between the DPC and Facebook):
— Max Schrems 🇪🇺🇦🇹 (@maxschrems) July 8, 2019
Schrems’ team argues that “Standard Contractual Clauses” (SCCs), the data sharing mechanism used by Facebook to make the transfers, if applied correctly, can be used to stop Facebook transferring EU data to the US.
(The Irish Data Protection Commissioner, meanwhile, takes the view that the SCCs themselves are invalid.)
Schrems holds that the European Commission’s assessment of US privacy laws being robust enough – a decision that shores up the ongoing use of Privacy Shield – “does not adequately describe US surveillance laws, is not even remotely capable of providing adequate privacy protections,and [Privacy Shield] must therefore be invalidated.”
Schrems said in a statement this week: “We are proposing a measured solution: The Irish DPC [Data Protection Commissioner] must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over. This case has been pending for six years. Over these six years,the DPC has actually decided in a mere 2-3 percent of the cases that were brought before it. We don’t have a problem with ‘Standard Contractual Clauses’, we have a problem with enforcement.”
As Peter Church, counsel at law firm Linklaters‘ technology practice put it in a guest post for Computer Business Review last week: ” The Irish High Court conducted a detailed review of the various surveillance powers available under FISA, the USA-PATRIOT Act and under Executive Order 12333 to assess this question. It also explored the many layers of review and oversight for these powers through the FISA Court, Presidential Policy Directive 28, private litigation and the new Privacy Shield Ombudsman.
“While the US authorities’ powers are subject to various checks and balances, the Irish High Court decided those safeguards were not sufficient. The chief criticism was that EU citizens do not have an adequate remedy if their data is misused. This breaches the right to remedy under Article 47 of the EU Charter of Fundamental Rights. The dispute raises significant issues under EU law, so the Irish High Court referred a number of questions to the European Court of Justice.”
A ruling is expected later this year and is likely to be appealed again. Facebook has been contacted for comment.