Schrems busts Privacy Shield wide open

Dublin Judge asks European Court to look at data flows all over again

Privacy activist and student Max Schrems has hailed an Irish Court decision today to refer cross-Atlantic data flows back to the European Court of Justice – all over again.

Schrems sparked the original litigation which led to the Court throwing out the "Safe Harbor" legal framework that governed flows of European citizens’ private data to America (judgment here).

After US Congress agreed to expand the scope of data surveillance, and Edward Snowden revealed the extent of bulk data collection via the PRISM programme, the Court felt it couldn’t guarantee citizens’ data would remain private. As we explained, “US companies that export data are fundamentally illegal in Europe.”

When Safe Harbour fizzled away, some data controllers fell back to Standard Contractual Clauses, and others turned to an ad hoc fix dubbed Privacy Shield.

Both Facebook and Schrems challenged this new framework in Ireland (Facebook’s European HQ) for different reasons. Schrems argued that the “self certification” protection wasn’t protection at all.

In a 150-page judgment in DPC v Facebook at the High Court in Dublin today, Justice Costello bounced the issue up to the CJEU.

Why send it up?

Facebook and the US government had argued that electronic surveillance in the US was consistent (it doesn’t have to be identical) with European legal safeguards, as it was overseen by FISA ( Foreign Intelligence Surveillance Act) courts. 2015’s FREEDOM Act also outlawed bulk surveillance, the US argued. It did admit that intercepts made under a US Presidential Executive Order (EO 12333) - which authorises the tapping of undersea cables - “are not governed by statute, are not subject to judicial review” and have no limits on data collected on foreign citizens. No evidence of data collection under EOs was presented.

The Judge however concluded that data collected under PRISM and Upstream, two Snowden revelations, showed evidence of “mass indiscriminate processing of data by the Unites States government agencies, whether this is described as mass or targeted surveillance.”

The Judge therefore agreed with the Data Protection Commissioner raised “well founded concerns” that there is an effective remedy for European citizens under US law.

The introduction of the Privacy Shield Ombudsperson mechanism in the Privacy Shield decision does not eliminate those well-founded concerns. A decision of the CJEU is required to determine whether it amounts to a remedy satisfying the requirements of Article 47.

In his reaction, Schrems issued the following video explanation, and this: (pdf) written one

“I welcome the judgment by the Irish High Court. It is important that a neutral Court outside of the US has summarized the facts on US surveillance in a judgment, after diving through more than 45.000 pages of documents in a five week hearing. Facebook seems to have lost in every argument they were making,” Schrems wrote.

An important judgment? You bet.

"It paves the way for the European courts to again potentially invalidate the legality of a very commonly used data transfer mechanism under EU law,” said Brian Johnston of law firm Bristows.

“Standard Contractual Clauses are relied on by 88 per cent of EU companies transferring data outside the EU, the implications are potentially even more significant than in 2015 and the end of Safe Harbor.” ®


Biting the hand that feeds IT © 1998–2017