Ruling against data transfer regime may cost Europe €143bn a year, says Facebook

A draft finding by the Irish Data Protection Commissioner that existing EU-US data transfer channels are invalid could, if upheld by the European courts, cost €143 billion a year, Facebook Ireland has told the High Court.

The US government on Thursday made an application, unprecedented in the Irish courts, to join the huge action by Commissioner Helen Dixon aimed at establishing the legality of channels, known as Standard Contractual Clauses (SCCs), being used for daily EU-US data transfers.

Judge Brian McGovern will rule by the end of July on applications by the US and major Irish, EU and US business and civil liberties organisations, along with data privacy campaigner Kevin Cahill, to join the case as amicus curiae (assistant to the court on legal issues). The action is aimed at having the validity or otherwise of the SCCs referred by the High Court to the Court of Justice of the EU (CJEU) for determination. Unless a party has been joined by the Irish High Court, it cannot participate in any reference to the CJEU.

The Commissioner, in a draft finding last May, said Austrian lawyer Max Schrems had raised "well-founded" objections to the validity of the SCCs. When a "well-founded" decision is reached, the next step for a Commissioner is to seek to have the CJEU decide the issue. The outcome of continuing EU-US discussions on a "Privacy Shield" may affect the wording of any referral, her counsel Michael Collins SC said.

Safe Harbour

The SCCs were approved under European Commission decisions of 2001, 2004 and 2010 but doubts about their validity have mounted after disclosures about US mass surveillance by Edward Snowden and since the CJEU last year struck down the 15 year old Safe Harbour arrangement for EU-US data transfers.

The Commissioner’s case is against Facebook Ireland (because Facebook’s European headquarters are here) and Mr Schrems because she considers they are the appropriate parties to address the relevant issues arising from Mr Schrems’ complaint. The case, with potentially huge implications for business entities and millions of EU citizens, raises significant issues concerning surveillance by US national security agencies and whether US law provides an adequate remedy for any breach of privacy rights of EU citizens.

Its importance was underlined by the applications to join by the US government; the Business Software Alliance, a global business organisation whose application was supported by the American Chamber of Commerce Ireland; the Irish Business & Employers Confederation; and Digital Europe, the representative organisation for the European digital industry.

Privacy and human rights issues were underlined in the applications from the Irish Human Rights & Equality Commission; the American Civil Liberties Union/Irish Council for Civil Liberties (in a joint application); and US-based data privacy watchdogs, the Electronic Frontier Foundation and the Electronic Privacy Information Centre.

Enormous implications

Paul Gallagher SC, for Facebook Ireland, said the case has enormous implications for Ireland, the EU and globally. It was conservatively estimated by the BSA, if the SCCs were found invalid, that would have a negative impact of some 1 per cent on European GDP, costing some €143 billion annually, he said.

While the court “of course has to the apply the law even if the heavens fall in”, it should know to what extent the heavens might fall in on the basis of its decision, counsel said. Eileen Barrington SC, for the US, said it is in “a unique and unprecedented position” because its laws were at the heart of the case” and it was of “critical importance” it be joined to inform the court about the adequacy of US data protection laws. It was hard to exaggerate the importance with which the US viewed this case with its potential to impact on US agencies and EU-US commerce, she said.

Ms Barrington disagreed with Mr Schrems that the US's role should be confined to submissions on US surveillance law only and said it wanted to make submissions concerning US law and practise and how that might compare with law in other EU states. The US also wanted to address the Privacy Shield negotiations. A draft decision on the Privacy Shield, based on commitments from the US, concludes the US offers an adequate level of protection, she added.

Mr Collins, for the Commissioner, said, if the court agreed to allow the US provide evidence on US law, that must be sworn and capable of being tested by other expert witnesses. Colm O'Dwyer SC, for EPIC, a Washington DC based independent data privacy watchdog, said it wanted to provide "another source of information" about the adequacy of US data protection and considered the key issues in the case concerned "surveillance and privacy". Nuala Butler SC, for the IHREC, said other human rights bodies will not have access to the CJEU unless her client is involved.