Getty Images/iStockphoto
Judge in Max Schrems v Facebook action raises red flag on EU-US data transfers
The Irish High Court (Commercial Division) has once again cast a long shadow, with a very short deadline, over the arrangements for the safe and legal transfer of data between the EU and the US
Judge Caroline Costello this week set out 11 questions she wants the European Court of Justice to answer in relation to various elements of the current data transfer arrangements between the EU and the US.
Those arrangements are mainly based on Privacy Shield, the joint non-treaty agreement between the EU and the US, signed in 2016 after the European Court of Justice struck down the previous agreement, Safe Harbour, which was in place between 2000 and 2015. The judge has given Facebook until 30 April 2018 to appeal against her decision to put the questions to the Court of Justice.
The current case, described by Irish Times legal editor Karlin Lillington as “bizarre”, was brought by the Irish data commissioner, Helen Dixon, against Facebook and privacy campaigner Max Schrems, the original complainant. Dixon launched the action in 2016 in the face of two court orders, one from the Irish High Court on 18 June 2014 and the other from the European Court of Justice on 6 October 2015 that she should investigate Schrems’ complaint, which started in 2011 and was reformulated on 25 July 2013.
In an interview with the Financial Times, Schrems points out that his complaint has still not been (fully) investigated.
The decisive question from Costello is question 4, which seeks clarification on the lawfulness of private contracts that are widely used by international companies – known as standard contractual clauses (SCCs) – to exchange data between Europe and other countries while giving the privacy protection required by European law.
There is considerable uncertainty whether SSCs comply with Article 7 of the European Charter for Human Rights, which guarantees the right of EU citizens to a private life, privacy of family life, home and communications, and Article 8, which guarantees privacy of data.
In her question, Costello referred to a finding of fact by her colleague, Judge Gerard Hogan in 2014 in the original case brought by Schrems. Costello is now asking the European Court, which endorsed Hogan’s findings and struck down Safe Harbour, to consider whether “given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC (European Commission) decision, does this violate the rights of individuals under Article 7 and or Article 8 of the Charter?”.
Court found ‘indiscriminate surveillance’
In his landmark findings, Hogan stated at paragraph 13: “I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the US is thereafter capable of being accessed by the NSA [National Security Agency] in the course of mass and indiscriminate surveillance of such data.”
These findings are settled law and cannot be overturned, and the European Court has already endorsed them – so why this current round of questions?
Instead of investigating Schrems’ complaint, the data commissioner hit upon a sub-clause in Privacy Shield about standard contractual clauses, which Facebook and others were relying on to transfer data legally between the EU and the US.
The data commissioner told the Irish Commercial (High) Court in 2016 that she had reservations about this procedure. But she made no attempt to investigate Schrems’ complaint, especially the part that dealt with Prism, the US mass surveillance programme that Hogan had found, as a fact, was unlawfully scooping up all the EU client data of nine named internet giants, including Facebook.
Schrems has always said he would take action against Privacy Shield, but Costello has now asked the questions he would probably have asked. These include whether an EU citizen can count on an ombudsman in the US, who would be a State Department official, with no powers to notify complainants of the details of their complaint, or to award compensation, as a substitute for the legal protection afforded EU citizens in the EU.
The laws of the EU and member states, in order to meet the requirement for redress and the right to a fair trial under Article 47 of the EU Charter, provide for local courts to make judgments in privacy cases and award both civil and criminal damages.
What you need to know about data protection and the European Charter
The Schrems case will determine whether Facebook’s and other companies’ use of EU-approved private contracts, known as standard contractual clauses, to send data on European citizens from Europe to the US, comply with three key clauses in the European Charter of Fundamental Rights:
Article 7: Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and communications.
Article 8: Protection of personal data
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.
- Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
Article 47: Right to an effective remedy and a fair trial
- Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article.
- Everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. Everyone shall have the possibility of being advised, defended and represented.
- Legal aid shall be made available to those who lack sufficient resources in so far as such aid is necessary to ensure effective access to justice.
The judge’s questions raise another crucial issue, however: whether essentially secret decisions taken by the European Commission are valid. Costello said: “The answers to these questions are necessary to determine the validity of the SCC decisions (European Commission), the purpose of the proceedings and the reference to the court. The final question asks the logical conclusion of the prior questions – whether the SCC (Commission) decisions violate Articles 7, 8 and/or 47 of the (EU) Charter and therefore whether the Commission decisions should be declared to be invalid.”
Costello has not raised Article 41.3 of the EU Charter, which provides for compensation to anyone who has been injured through the negligence or wrong actions of EU officials. If the European Court stands by its endorsement of Hogan’s findings, and its own striking down of Safe Harbour, then the Commission could, in principle, face injury claims from upwards of 270 million European citizens – those estimated by Computer Weekly in September 2017 to be affected by US “mass and indiscriminate surveillance”.
Law firm known for legal claims against IRA brings US action against Cambridge Analytica
The UK law firm of McCue and Partners has joined with the US law firms RuyakCherian LLP and Fields PLLC, both in Washington, and Cross & Simon LLC in Wilmington, Delaware, to sue Facebook and Cambridge Analytica for negligence with their clients’ data.
The case is being brought in the US as the defendants, which include companies associated with Cambridge Analytica named in the documents as SCL and GSR, have registered addresses in Delaware. The case is also being launched in the US because the largest number of victims – about 86 million out of the 87 million people affected – live in that country.
McCue and Partners will act for UK clients. McCue is best known for bringing claims against the IRA for the civil victims of the Omagh bombing and for defending The Times against the libel suit of Thomas Slab Murphy, IRA chief of staff, which The Times won.
This is likely to be the first of many cases against Facebook over the Cambridge Analytica debacle.
Given the recent row over Facebook and Cambridge Analytica, it was essential for the existing law to be clarified. However, Costello has accidentally done this. By referring to Hogan’s findings of fact, she has drawn attention to the fact that “mass and indiscriminate surveillance” is already unlawful. Hogan had, in any case, done no more than put flesh on Sir Anthony May’s advice to the UK parliament on 8 April 2014 that such mass and indiscriminate activities were both criminal and unlawful.
May said: “Public concern has centred on potential intrusive invasion of privacy [arising from the Snowden revelations]. Such concerns have been expressed publicly in the US, Europe and other countries with greater force perhaps than in the UK. But unjustified and disproportionate invasion of privacy by a public authority in the UK would breach Article 8 of the European Convention on Human Rights just as much here as in other parts of the European Union.”
The first law cases against Facebook have now begun. McCue and Partners of London and Belfast has launched a class action against Facebook and Cambridge Analytica. In the UK, up to 38 million people could have a claim against Facebook arising from Hogan’s findings.
But by putting Hogan’s findings back to the European Court, Costello has raised an even more critical issue for the US government. The US government has always claimed that the Prism mass surveillance is legal because there is a law in the US – the Foreign Intelligence Surveillance Act (FISA), with an attached court. But US law does not apply in the EU, and at paragraph 18 of his findings, Hogan rejected the FISA court as a court of law. The European Court of Justice endorsed Hogan’s findings of fact.
Read more on Privacy and data protection
-
Privacy Shield: One year on and companies are still grappling for answers
-
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
-
EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement
-
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement