Ireland’s Data Protection Commissioner (DPC) has asked Europe’s highest court to invalidate Facebook’s main transatlantic data transmission channel, claiming it enables illegal US spying on EU citizens.
In oral submissions on Tuesday morning at the Court of Justice of the European Union (CJEU), almost all other parties opposed such a move, but for different reasons.
Tuesday's hearing has its roots in a 2013 complaint against Facebook by Austrian privacy campaigner Max Schrems but derives from a DPC application to the High Court. It in turn has asked the CJEU, for the second time in four years, for guidance on Facebook's data collection in Europe and Ireland's regulation of the company.
At Tuesday’s hearing, counsel for Facebook, the US federal government and industry groups warned that invalidating the main legal instrument used for Facebook’s EU-US data transmissions – so-called “standard contractual clauses” (SCCs) – would have huge knock-on effects for European businesses and citizens.
Lower standard
But Mr Michael Collins, for the DPC, said SCCs allowed illegal data collection by US intelligence by applying a lower standard of protection.
“Facebook’s position is that some lower level of protection is permissible,” he said, “but none of the parties articulate what that lower level is supposed to be.”
Paul Gallagher, SC for Facebook, disputed this, saying the US social media company was “not defending US signal intelligence law: it is coping with it”.
“And it believes it copes with it in a lawful way,” he added.
Eoin McCullough, for Max Schrems, disagreed with the DPC’s “radical solution” to invalidate SCCs.
“The solution is not to have the court invalidate SCCs but for the DPC to enforce them,” he said, saying the Irish regulator – after six years on the case – had a duty to protect EU citizens’ privacy rights.
The current “Privacy Shield” system for managing personal data transfers between the EU and US was, he argued, as ineffective as its “Safe Harbor” predecessor – struck down by the CJEU in its 2015 Schrems ruling.
It emerged subsequently that Facebook’s main transatlantic data transmission channel was not “Safe Harbor” but SCCs.
US intelligence
Eileen Barrington SC, representing the US government, said its gathering of non-US citizens’ data had been “mischaracterised”. It was not “mass, indiscriminate or generalised” but targeted, filtered and screened by US government and intelligence.
“The fundamental problem in our submission with DPC case ... is that it fails to take any adequate account of the national security context,” she said.
Mr Collins, for the DPC, disputed US claims of transparency and restraint on data collection. A US ombudsman set up for dispute management was not independent, he said, but operated inside the Department of State.
Eoin McCullough, for Max Schrems, said US intelligence services were not covered by freedom of information (FoI) laws and could ignore European citizens’ requests for information.
Of member states present – including France, the Netherlands, Germany, Austria and the UK – none agreed with the DPC that SCCs should be invalidated.
Mr David Fennelly, for Ireland, told the court SCCs were “probably the single most important mechanism” for data transfers out of the EU and could become even more crucial after Brexit.
Data protection commissioner Helen Dixon said the afternoon’s questions suggested the court was looking closely at the issues of concern to her, which prompted her original application to High Court.
“We are trying to do the right thing,” she said outside the chamber. “At the hearing today all parties were heard, the court will make its judgment and we will respect it, whatever it is.”
The CJEU’s advocate general will issue his recommendations on December 12th with a ruling likely in early 2020.