Monday, 23 October 2017

Transfer of Data to the USA: Data Protection Commissioner v Facebook and another

Author S Kopp
Reproduced with kind permission of the author
Source Wikipedia 

Jane Lambert

Irish High Court (Ms Justice Costello) The Data Protection Commissioner v Facebook Ireland Ltd and Another [2017] IEHC 545 (3 Oct 2017)

A number of US technology companies including Facebook Inc. serve their customers in Europe through subsidiaries in the Republic of Ireland. That necessitates the transfer of personal data relating to those customers in the USA.

As I said in Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 NIPC Law, the United States and Europe take different approaches to the processing of personal data. In the EU such processing  is regulated by statutes like our Data Protection Act 1998 which implement Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Data Protection Directive"). In the USA businesses are encouraged to adopt good data processing practices in accordance with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and some states regulate data processing in the public sector but there is no equivalent to the Data Protection Directive or our Data Protection Act as such.

To facilitate the free flow of personal data from the EU to the USA, the Commission negotiated an agreement with the US government to require companies that wished to export and process such data in the USA to offer safeguards for data subjects in Europe that were thought to be substantially similar to the protection enjoyed here under the statutes that implement the Data Protection Directive.  Those safeguards were known as the "Safe Harbor" principles. They resulted in a number of arbitration schemes one of which was operated by my chambers service company before we merged with 4-5 Gray's Inn Square in 2013.

Safe Harbor appeared to work well enough for most businesses and data subjects but the scheme was challenged by one Maximillian Schrems ("Mr Schrems") who feared that personal data flows to the USA would be intercepted and misused by US intelligence services. Whereas US citizens enjoyed rights of redress and remedies against such misuse nationals of other countries did not. He objected to the transfer of such data and complained to the Irish Data Protection Commissioner. The Commissioner took the view that he could not investigate the complaint because he was bound by the Safe Harbor agreement.

Mr Schrems asked the Irish High Court to review the Commissioner's decision. The Court considered that Mr Schrems's complaint raised issues of EU law that required a preliminary ruling under art 267 of the Treaty on the Functioning of the European Union and referred those issues to the Court of Justice of the European Union. In Case C‑362/14, Schrems v the Data Protection Commissioner   [2016] 2 WLR 873, [2016] 2 CMLR 2, [2015] EUECJ C-362/14, [2016] CEC 647, EU:C:2015:650, [2016] QB 527, [2015] WLR(D) 403, ECLI:EU:C:2015:650 the Court ruled:
"Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection."
It also ruled that the Commission decision implementing the Safe Harbor principles was invalid.

The present Data Protection Commissioner has begun to investigate Mr  Schrems's complaint and has found that she is unable to do so without a ruling from the CJEU on the validity of three decisions of the Commission insofar as they apply to data transfers from the European Economic Area (“the EEA”) to the USA:
As the Data Protection Commissioner has no power to refer questions of EU law to the Court of Justice she has asked the Irish High Court to do so in The Data Protection Commissioner v Facebook Ireland Ltd and Another [2017] IEHC 545 (3 Oct 2017). She brought those proceedings against Facebook's Irish subsidiary and Mr Schrems to enable them to put their arguments before the court. The action came on before Ms Justice Costello who also allowed the government of the USA plus the Business Software Alliance, Digital Europe and the Electronic Privacy Information Centre to address her as amici curiae.

After hearing submissions from each of those parties the learned judge has decided to refer the Commissioner's questions to the Court of Justice and has invited all those who made submissions to her to address her again on the formulation of the questions to be put to the Court.  I shall report any further hearing or decision in this blog.

Should anyone wish to discuss this article, the transfer of personal data to the USA or data protection to the USA generally, he or she should call me on +44 (0)20 7404 5252 during normal office hours or send me a message through my contact form.

No comments:

Post a Comment