US govt is in, EFF told to take a hike in post-Safe Harbor wrangling over privacy and EULAs

Judge picks friends of court in case studying info safeguards

11 Reg comments Got Tips?

An Irish high court judge has accepted the US government into a high-profile case involving Facebook and mass surveillance – but rejected a number of civil liberties groups including the Electronic Frontier Foundation (EFF).

In a judgment [PDF] published Tuesday, Justice Brian McGovern noted that the United States government has a "significant and bona fide interest in the outcome of these proceedings," whereas the EFF effectively adds nothing new to the case.

"I am not satisfied that it can offer any particular assistance to the court which will not be furnished by either the parties to the proceedings or the amici curae whom I have decided to admit."

The case, in which law student Max Schrems argues that Facebook is unlawfully transferring his personal data to the United States, has already caused the collapse of the US and Europe's longstanding Safe Harbor agreement covering the flow of people's private information over the Atlantic and into American servers.

Now, the multi-faceted case is looking into whether companies are meeting European privacy rules when passing citizens' sensitive data to and from the United States.

At the heart of this issue is the fact that the US government engages in mass electronic surveillance on information streaming in from Europe, and European citizens have no legal recourse to challenge that under European data privacy laws.

Safe Harbor was replaced this month with Privacy Shield, which grants Europeans the aforementioned legal recourse. This case is focused on determining whether US companies' end-user agreements and privacy policies that we all agree to (but never read) are in line with the new Privacy Shield's requirements.

Of the nine applications to be "friends of the court," the judge accepted just four: the US government; DC-based privacy advocate the Electronic Privacy Information Center (EPIC); international business association the Business Software Alliance (BSA); and European public policy trade body Digital Europe.

He rejected the five others, including two civil liberties groups (the EFF and a joint filing by the Irish Council of Civil Liberties and American Civil Liberties Union); the Irish Human Rights and Equality Commission; Irish business group IBEC Limited; and data privacy campaigner Kevin Cahill.

Plenty at stake

With respect to the US government submission, the judge noted: "At issue in the proceedings is the assessment, as a matter of EU law, of the applicant's law governing the treatment of EU citizens' data transfer to the US.

"The imposition of restrictions on the transfer of such data would have potentially considerable adverse effects on EU-US commerce and could affect US companies significantly. I am satisfied that the US meets the criteria for being joined as an amicus curiae and that it can bring added value to the case which the parties may be unable to provide."

EPIC, on the other hand, will "offer a counterbalancing perspective from the US Government on the position in the US and could bring to bear an expertise which might not otherwise be available to the court," the judge decided.

The BSA was included due to the fact that its members include Apple, IBM, Intel, Microsoft, Oracle and others, and so can "offer relevant views which might otherwise not be available to the court."

Similarly Digital Europe, which "is one of the most substantial and representative groups for the digital technology industry in Europe, and ... many of its members have an interest in and will be affected by any decision made in this case."

The refusal to include data privacy advocates in the case will be seen by many as the judge siding with business and governmental interests. It is worth noting that Helen Dixon, the Irish Data Protection Commissioner, initially refused to hear Schrems' complaint and only opened an investigation after it had gone all the way to the European Court of Justice, which found that the Safe Harbor agreement covering data flows was unlawful.

When Dixon was then required to open a case, she quickly referred another question to the Court of Justice over whether the model contract clauses covering data transfer are valid. That referral requires her to seek a declaratory judgment in the Irish High Court, which would then in turn request a ruling from the Court of Justice. ®


Biting the hand that feeds IT © 1998–2020