The Irish Data Protection Commission (DPC) copped the blame from witnesses in the European Court of Justice yesterday over its role in the Facebook case concerning the transfer of data to the US from its Irish subsidiary.
Back in 2013, privacy activist Max Schrems asked the regulator whether Facebook sending his data to the US was in breach of European data protection law. Six years later, we are getting closer to answer.
The case goes beyond the so-called "Privacy Shield" – the legal fig leaf introduced after Schrems convinced the European Court of Justice to strike out the previous Safe Harbor agreement to grease data transfers between the EU and US.
The court in Luxembourg is also considering whether "standard contractual clauses (SCCs)" are sufficient protection for consumers, and asked why the Irish regulator could not make its own ruling on the legal data transfer terms. SCCs are used worldwide to facilitate data transfers.
Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum, said: "The hearing today has more at stake than the first Schrems/EU-US Safe Harbor case because this time around it may impact international data transfers not only from the EU to the US, but from the EU to the entire world where standard contractual clauses are relied upon.
"At the same time, the successor of the Safe Harbor, the EU-US Privacy Shield, is also on the table."
Instead of making a ruling on Schrem's complaint back in 2013, the regulator asked an Irish court whether the clauses provided enough protection for consumers. After lengthy legal toing and froing, the issue was sent to Luxembourg for an ECJ decision.
It was this passing of the buck that several witnesses took issue with.
Facebook's lawyer warned that striking out SCCs would have a serious impact on world trade.
The court also heard from the Business Software Alliance, the European Commission and the Electronic Privacy Information Center as well as lawyers for Max Schrems, the US government and the Irish DPC.
In fact, this seems to have united both sides – Facebook and Schrems both seem to believe that SCCs should be adequate to solve the impasse.
Complainant Max Schrems, chairperson of noyb, a pressure group which uses litigation to improve privacy practises, said in a statement:
"We are proposing a measured solution: The Irish DPC must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over. This case has been pending for six years. Over these six years, the DPC has actually decided in a mere 2-3 per cent of the cases that were brought before it. We don't have a problem with 'Standard Contractual Clauses', we have a problem with enforcement."
The case does not cover all data transfers to the US. The complaint was made against Facebook because it was named by Edward Snowden as complying with mass-surveillance schemes like PRISM. It is this mass-processing which is under investigation.
The court will release a non-binding opinion on 12 December this year followed by a full decision early in 2020.
Given the complexity of the legal issues under consideration, few lawyers are risking making bets either way. It could be that the court rules it is up to Ireland's DPC to decide and kicks the can back to Dublin for a decision.
The DPC told The Reg that it "does not at this time have any statement regarding yesterday’s CJEU hearing concerning Standard Contractual Clauses and the matter remains before the Court." ®