Austrian lawyer and privacy activist Max Schrems is calling for the Irish data protection authority to finally take action to enforce European data protection rules on Facebook.The call comes as the Court of Justice of the European Union (CJEU) hears a case on EU-US data transfers and mass surveillance by the US government.
The case centres around a complaint by Schrems against Facebook in 2013 as a result of revelations by whistleblower Edward Snowden’s disclosure that Facebook allows the US intelligence services access to personal data of Europeans under surveillance programmes such as Prism.
The complaint seeks to stop EU-US data transfers of Facebook, but so far the Irish data protection commissioner (DPC) has not taken any concrete action aimed at doing so.
The case was first rejected by the Irish DPC in 2013, then subject to judicial review in Ireland and a reference to the CJEU. In 2015 the CJEU ruled that the Safe Harbor agreement that allowed EU-US data transfers was invalid, and that the Irish DPC had to investigate the case.
At the end of 2015, the DPC informed Schrems that Facebook had in fact never relied on the Safe Harbor agreement, but had instead relied on standard contractual clauses (SCCs) as a mechanism to transfer data from the EU to the US.
In response, Schrems adapted his complaint to the transfers being made under SCCs and called for the end of data transfers to Facebook in the US because they could make the data available to the National Security Agency (NSA).
The DPC conducted an investigation from December 2015 to spring 2016, but instead of deciding on the complaint, the DPC filed a lawsuit against Facebook and Schrems at the Irish High Court in 2016 to refer further questions to the CJEU.
After more than six weeks of hearings, the Irish High Court found that the US government engaged in “mass processing” of European personal data and referred eleven questions to the CJEU for a second time in 2018.
The CJEU scheduled the case for 9 July 2019, with a judgment expected before the end of the year. After the judgement of the CJEU, the DPC will finally have to decide on the complaint, and the decision could again be subject to appeals by Facebook or Schrems.
In the latest case, the Irish DPC and Schrems both contend that US surveillance laws violate fundamental rights to privacy, data protection, and redress under European law. However, the data protection commissioner Helen Dixon claims she has no power to solve the issue.
According to Schrems, because the data transfer mechanism Facebook (SCCs) does not foresee such a situation, the clauses themselves need to be invalidated.
This would mean that data transfers to any non-EU country under this instrument would have to be stopped, which could have a huge impact on companies that rely on SCCs for running their businesses.
Facebook takes the view that US law does not go beyond what is legal under EU law. Facebook also questions whether the EU has any jurisdiction on “national security” cases. Facebook sees no problem with continuing to transfer data to the US.
Facebook also relies on the European Commission’s assessment of US law in the so-called Privacy Shield decision, which says that US surveillance laws comply with EU requirements.
Although Schrems agrees with the DPC on the problem, he proposes a more measured solution, arguing that article 4 of SCCs permits the DPC to stop individual data transfers like Facebook’s. Schrems says that the Irish DPC has a duty to act, instead of referring the case back to the CJEU.
On Facebook’s reliance on the “Privacy Shield”, Schrems takes the view that the Privacy Shield Decision by the European Commission does not adequately describe US surveillance laws and is therefore not able to provide adequate privacy protections, and therefore should be invalidated.
The European Commission is expected to defend both its decisions on the SCCs and Privacy Shield. It is expected to side with the US and Facebook on the view that there is no violation of fundamental rights in the US, but also acknowledge that the DPC has the power to solve the issue itself if the CJEU sees a violation of fundamental rights in the US.
In a statement issued ahead of the case, Schrems said he is proposing a measured solution. “The Irish DPC must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over.
“This case has been pending for six years. Over these six years, the DPC has actually decided in a mere 2%-3% of the cases that were brought before it. We don’t have a problem with SCCs, we have a problem with enforcement.”
Commenting on the case, Adam Rose, data protection partner at legal firm Mishcon de Reya, said Schrems previously convinced the CJEU to agree with his argument that the bilateral agreement between the EU and the US, under the title of the Safe Harbor scheme, did not give Europeans sufficient protection for their personal data if it was sent to the US, and as a result the EU and the US agreed a new deal, known as the Privacy Shield.
“The model clauses, which Mr Schrems is now challenging, presumably face the same limitations and loopholes as the Safe Harbor scheme did, and one would expect that the European Court will again agree with him,” said Rose.
“If that happens, it blows a massive hole through the system set up some years ago to enable the smooth transfer of personal data from the EU to the US.”