14:03, October 03 319 0 law.com

2017-10-03 14:03:14
Irish Court Throws U.S.-EU Data Transfers Into Uncertainty

Jason Doiy / The Recorder

A decision Tuesday by Ireland’s High Court in the case brought by Austrian privacy activist Max Schrems has cast new uncertainty on the legal tool that Facebook and thousands of other U.S. companies use to transfer personal data from their operations in the European Union.

Irish High Court Justice Caroline Costello in a highly anticipated ruling said the Irish Data Protection Commissioner had raised “well-founded concerns” about whether U.S. surveillance practices deny EU citizens fundamental rights once their data is transferred to the U.S.

Costello’s decision tees up yet another case at the Court of Justice for the European Union (CJEU) in Luxembourg—the EU’s highest court—to determine the validity of “Standard Contractual Clauses,” a key legal tool companies use to transfer EU citizens’ personal data outside the bloc. A final decision is likely still years away.

“Standard Contract Clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the U.S. or elsewhere around the globe, and are used by thousands of companies to do business,” Facebook said in a statement. “They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.”

How the EU’s highest court will rule will be influenced in part by how Costello frames her formal question of what is to be decided. The justice still has yet to determine that, and both Facebook and Ireland’s Data Protection Commissioner are expected to weigh in beforehand.

The immediate practical impact of the ruling is hard to assess because the EU high court’s decision is unlikely to come for years and because of the shifting legal landscape in Europe around data privacy. The EU’s new General Data Protection Regulation, which takes effect in 2018, would require substantial updates to standard contractual clauses (SCCs) anyway.

But the referral of the case to the CJEU creates the possibility that the EU’s highest court will find that those clauses, no matter how they are constructed, are invalid because of U.S. surveillance practices. In other words, even if companies spend the next year making SCCs compliant under the new regulation, there is risk that they could be wiped away.

The case may also invite a repeat of the EU high court’s 2015 ruling on a separate legal tool for transatlantic data transfers, then known as “Safe Harbor.” After being struck down by the high court—in a case that also started with a complaint by Schrems to the Irish data protection commissioners—the U.S. and EU negotiated a new framework called “Privacy Shield.”

But in her ruling, Costello attacked some of the new features of the Privacy Shield arrangement as deficient. Specifically, she noted that its creation of a privacy “Ombudsman” at the U.S. State Department to field concerns about how EU citizens’ data are handled “will neither confirm nor deny whether the individual has been the target of surveillance nor will the Ombudsperson confirm the specific remedy that was applied.”

Facebook, whose lead U.S. counsel in the case is Joshua Lipshutz of Gibson, Dunn & Crutcher, had tried to convince Justice Costello that the U.S. surveillance practices are reigned in by substantial oversight and laws that prevent abuse of privacy, consistent with EU law. Former White House privacy expert and Alston & Bird attorney Peter Swire and Stephen Vladeck of the University of Texas School of Law also offered testimony for Facebook.

But Costello was not persuaded. “Quite clearly there are extensive rules to ensure that data is obtained in accordance with law and data, once obtained, is not misused. This is not the same as providing a remedy where the rules are broken and data is unlawfully collected or otherwise misused,” she wrote in her ruling. (The justice underscored that she was not passing a value judgment on the U.S. legal regime but only assessing whether there was a real question of whether it meets the standards of EU privacy law.)

She cited U.S. Supreme Court decisions that she said had made it more difficult for plaintiffs to establish standing in challenging surveillance practices, including Clapper v. Amnesty International USA. That case—which divided the court 5-4—sought to challenge Section 702 of the Foreign Intelligence Surveillance Act, which created new procedures for authorizing electronic surveillance of non-U.S. persons abroad.

Schrems, in a statement, welcomed the Irish High Court’s decision. “It is important that a neutral court outside of the U.S. has summarized the facts on US surveillance in a judgment, after diving through more than 45,000 pages of documents in a five-week hearing,” he said. “Facebook seems to have lost in every argument they were making.”

In addition to Gibson Dunn, Facebook is represented by Irish firm Mason, Hayes & Curran. The main barristers for Facebook are Paul Gallagher, a former Irish attorney general, and Niamh Hyland. Dublin solicitors firm Ahern Rudden Quigley have been representing Schrems; the principal barrister arguing on his behalf was Eoin McCullough.