Facebook data transfers "violation" of privacy rights

European Court of Justice begins hearing arguments in landmark Facebook privacy case

Case was brough on foot of claims by NSA whistleblower Edward Snowden, that Facebook had breached EU law by passing his data to the US National Security Agency’s ‘Prism’ programme. Photograph: Dado Ruvic/Reuters
Case was brough on foot of claims by NSA whistleblower Edward Snowden, that Facebook had breached EU law by passing his data to the US National Security Agency’s ‘Prism’ programme. Photograph: Dado Ruvic/Reuters

The European Court of Justice has heard that the alleged transfer of European personal data to US intelligence services represents an “indiscriminate general surveillance” that is “manifestly incompatible” with EU privacy rights.

The EU’s highest court heard oral arguments today in the case of Austrian privacy campaigner Max Schrems against the Irish Data Protection Commissioner (DPC), in a referral from the High Court in Dublin.

Last year Mr Schrems challenged the DPC for not pursuing his complaint, on foot of claims by NSA whistleblower Edward Snowden, that Facebook had breached EU law by passing his data to the US National Security Agency’s “Prism” programme. The High Court asked Luxembourg for clarification of EU rules regarding EU citizen data transfer to the US, known as the “Safe Harbour” provision.

Tuesday’s ECJ hearing focused on whether national DPCs such as Ireland’s have an obligation to examine such complaints from citizens and to intervene with the European Commission on whether US bodies meet “adequate” data standards required by the Safe Harbour provisions.

READ MORE

Mr Noel Travers SC for Mr Schrems argued that this had not happened in the case at hand.

“There is a duty of national authorities and the European Commission to protect citizens against violations of the right to privacy,” he said. “National authorities ... (have) a duty to investigate the complaint and, where necessary, suspend data flows to the US.”

Not doing so was the “very antithesis of independence” enjoyed by Ireland’s DPC.

He contended that Safe Harbour was illegal on its adoption 15 years ago and was “even more illegal today based on everything we have learned in the meantime” from Edward Snowden.

Mr Travers built his case on last year’s ECJ case by Digital Rights Ireland (DRI), in which the Luxembourg court struck down an EU directive allowing data retention in the EU.

The Safe Harbour provisions permitted a “far more egregious breach of privacy”, said Mr Travers, because it allowed US intelligence agencies scrutinise the data transmitted across the Atlantic.

“It is difficult to conceive of a more serious violation of fundamental rights to privacy,” he said.

Asking to invalidate the Safe Harbour provisions would not put a stop to transatlantic data transfer, Mr Travers said, merely end the privileged status enjoyed by US companies who “self-certify” that they meet “adequate” data protection standards as defined by the European Commission.

Counsel for Digital Rights Ireland argued that Safe Harbour was fundamentally flawed because it allowed US bodies “self-certify” that they met EU standards merely by undertaking to do so.

“The commission did not take the more logical approach of making compliance itself a condition,” said Mr Fergal Crehan SC.

Counsel for the Irish DPC, Mr Paul Anthony McDermott SC, said that there was no evidence that Mr Schrems had come to harm as a result of alleged US use of EU data and there was no case for the DPC in Ireland to investigate.

“There must be a likelihood that principles are being violated but the evidence to date consists of newspaper reports about Mr Snowden’s revelations,” he said. “Mr Schrems placed no such claims before the DPC.”

Mr McDermott said the DPC was happy to deal with all complaints it received on the basis of the law. However the EU charter of fundamental rights, which includes a right to privacy, did not confer additional powers on the Irish DPC.

“International diplomacy and realpolitik” - not courtrooms - were the best channels for resolving data transfer issues with the US, he added.

Mr David Fennelly, counsel for Ireland, agreed with the DPC counsel that EU responsibilty in this case rested not with the Irish DPC but with the European Commission.

“It is up to the European Commission ... to make positive or negative findings about the adequcy of protection afforded to personal data in third countries,” he said.

As well as Ireland, the hearing attracted submissions from seven other EU member states: Belgium, the Czech Republic; Italy; Austria; Poland; Slovenia and the UK.

UK counsel was broadly supportive of the Irish state and Irish DPC positions, backing the lead role of the commission and arguing that the ECJ was not the appropriate forum to “supplant” ongoing EU-US negotiations on new data transfer rules.

Most other national representatives were critical of the Irish approach. Belgian counsel argued that national DPCs were obliged to intervene in such cases of “blatant interference” such as that indicated by Edward Snowden.

“If that is not considered sufficiently serious interference, one might wonder what is a sufficently serious interference,” said Mr Jean-Christophe Halleux for Belgium.

Austrian counsel agreed that, on foot of citizens’ privacy complaints, national DPCs had a right to intervene and, where necessary, “take restrictive measures” on data transfer.

“What we are tying to do is to minimise negative effects on the rights of EU citizens or avoid them entirely,” said Austrian counsel Gerhard Kunnert. As it stood, he said, Safe Harbour had no legal teeth to guarantee EU privacy rights.

“It could be said that the Safe Harbour is not a safe harbour for data of EU citizens but a safe harbour for data pirates,” said Mr Kunnert.

Counsel for the European Parliament expressed doubts as to whether the Irish DPC had exhausted its powers by deferring to the European Commission in dealing with the Schrems complaint.

“The European Commission has no power to restrict the power of national supervisory authorities,” said European Parliament counsel Moore. Given recent examples of US deficiencies in guarding EU citizens’ rights, he said the “commission must suspend or repeal the Safe Harbour provision”.

Counsel for the European Commission acknowledged that the EU executive body had expressed concerns last November over what the Snowden revelations meant for the future of Safe Harbour. But he asked the court for an “approriate margin of discretion” while the commission negotiatied with the US.

“The fate of the Safe Harbour decision should not be prejudiced while talks are ongoing,” said Mr B Schima for the commission.

Mr Schima came under close questioning from court rapporteuer Thomas von Danwitz, who pressed him on how the fundamental EU right to privacy is guaranteed under the Safe Harbour provisions.

Mr Schima conceded that the provisions were “not a model of clarity” but said it was “not the task” of national DPAs to examine the commission in this matter.

Counsel fo the European Data Protection Supervisor, where EU national DPCs meet, said the court would have to strike a balance between protection of privacy and potential disruption to the internal market of halting data transfer.

If ongoing talks with the US did not lead to significant revisions, EDSP counsel said, the EU should suspend Safe Harbour provisions.

The hearing continues on Tuesday afternoon.

Derek Scally

Derek Scally

Derek Scally is an Irish Times journalist based in Berlin