Portfolio blogger

Wednesday, July 27, 2016

The Schrems-Facebook saga continues

The Irish High Court turns to the European Court of Justice with a reference to preliminary ruling in the second case of the Austrian law student Maximilian Schrems against Facebook.
In the first, the European Curt of Justice invalidated in its judgment the "Safe Harbour" agreement between the U.S. and the EU. (Other "adequacy decisions" declaring that countries comply with European data protection principles, can be found here.)
This system enabled U.S. companies to self-certify and register at the U.S. Department of Commerce that they comply with EU data protection rules.
Based on the Snowden revelations, the European Court of Justice found that the "indiscriminate and mass surveillance" of the U.S. government agencies and the lack of legal redress for EU citizens (which redress was ensured for U.S. citizens) against illegitimate use of data by them is not compatible with EU data protection principles and therefore the Commission decision that companies participating in this arrangement don't have the right to use EU citizens' personal data based on this was invalidated.
An alternative was that the U.S. companies commit themselves through "standard contractual clauses" defined by the European Commission to ensure the same protection as if they were obliged by European Law. This is now also attacked before the Irish High Court, who decided to refer a question to the European Court of Justice. This was announced early June but the question is not available yet on the Court website.
Meanwhile the Irish High Court also endorsed some requests to testify in front of it as "Amicus Curiae". The U.S. also received this right. The representative of the U.S. will testify under oath and is not bound by U.S. secrecy laws.
The 8th June actually the European member states endorsed the "Privacy shield", the system intended to replace the "Safe Harbour". The U.S. ensured the adequate legal redress also for European citizens and thus - apart from the question of how indiscriminate and mass character the U.S. surveillance has - the main problem was declared solved.
The arrangement had no smooth ride neither in the U.S., where the republicans introduced last minute amendments to the bill, weakening its guarantees, nor in the EU, where the so-called "Article 29 working party", the community of national Data Protection Authority chiefs (which will become the European Data Protection Board, a much more powerful and institutionalised group after the entering into force in May 2018 of the new General Data Protection Regulation - a post about that will follow) and the European Data Protection Supervisor requested changes to the already agreed text and of course this was very difficult to make the U.S. swallow. Certainly, this "Privacy shield" will also be tested in courts. However, the changes in U.S. law will also influence the decision on the standard contract clauses, as their government environment has changed.
One interesting aspect of the U.S. rules on personal data access of the government is that they are valid in principle to subsidiaries of U.S. companies, even to companies outside the U.S. who have a subsidiary or important operations in the U.S.  This was, however weakened when Microsoft won a case in Ireland, and thus does not have to disclose data to U.S. authorities.
The opinion of the EDPS on the "Privacy shield" can be found here.