Gregory P. Bufithis, Esq.
6 February 2017 – The closely followed case challenging the validity of Standard Contractual Clauses for the transfer of personal data outside the EEA to countries considered not to provide an adequate level of data protection, including the U.S., is progressing with a hearing coming up tomorrow, 7 February, before the Irish High Court.
My team will be ringside … ummm, courtside … for the hearing.
A very brief backgrounder (hat tip to Sidley Austin and Hogan Lovells)
On May 31, 2016, the Irish Data Protection Commissioner (“DPC”) commenced proceedings in the Irish High Court, seeking a reference to the Court of Justice of the European Union (“CJEU”) in relation to a complaint made by Max Schrems against Facebook Ireland Ltd’s use of an international data transfer mechanism known as “Standard Contractual Clauses” or “Model Contracts” (“SCCs”).
SCCs are standard form data transfer agreements between a data exporter in the EU and a data importer outside of the EU which are entered into to provide an adequate level of protection to permit the transfer of personal data from the EU.
The proceedings are titled Data Protection Commissioner v. Facebook Ireland Limited & Maxmillian Schrems 2016/4809P. You can find more details by clicking here.
The proceedings have several elements in common with the application (also in relation to a complaint made by Schrems) that led to the CJEU’s 2015 decision to invalidate the U.S. EU Safe Harbour Framework. Schrems’ complaint is that Facebook Ireland Ltd’s use of SCCs for the transfer of personal data to its U.S. headquarters is an inadequate protection of his personal data under Article 8 and fails to provide sufficient remedy under Article 47 of the Charter of Fundamental Rights of the EU.
The High Court fixed a date for the hearing on 7 February 2017 and the hearing is expected to run for approximately 3 weeks.
The Irish High Court has published a short expected timetable for the hearing:
- The hearing will commence with opening submissions from the DPC on 7 February 2017.
- Short opening statements will follow from Schrems and Facebook, in that order.
- Cross-examination of Schrems’ expert witness will be on 10 February 2017.
- This will be followed by cross-examination of the DPC’s expert witnesses, and those of Facebook.
- Each of the 4 amicus curiae (“friends of the court”) will then file legal submissions as to the issues in the case.
- The case will close with submissions to be made by each of the parties, in the following order: Schrems; followed by Facebook, and then the DPC.
- The High Court will then determine whether it should make a referral to the CJEU in relation to the validity of the EU Commission decisions on SCCs.
Ten third parties applied to be joined to the proceedings as amicus curiae (“friends of the Court”). These were:
- the US Government
- Electronic Privacy Information Centre (EPIC)
- BSA Business Software Alliance
- Digital Europe
- Electronic Frontier Foundation (EFF)
- the Irish Council for Civil Liberties
- the American Civil Liberties Union,
- Mr Kevin Cahill
- IBEC Limited
- the Irish Human Rights and Equality Commission.
The Irish High Court ruled that four of the ten parties (the US Government, BSA Business Software Alliance, Digital Europe and EPIC) could be joined to the proceedings as “friends of the Court”. This allows those parties to make representations to the High Court. The applications by the other parties were refused.
My video interview with Max Schrems
At the recent International Cybersecurity Forum in Lille, France I had the opportunity to do a video interview with Max Schrems. Our interview focused on the new GDPR becoming effective May 2018 but we also had a brief discussion on model contracts, his points being:
- model contracts pose a very serious issue for the US tech industry and EU – US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right.
- He does not see any way the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws.
- All data protection lawyers know that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with.
- As long as the US does not substantially change its laws he did not see how there could ever be a solution. And now with Trump ….
- A copy of Facebook’s “Model Clauses” contract does not provide any means of redress for EU citizens whose rights may be violated by U.S. mass surveillance.
NOTE: tomorrow I will include a clip from my video interview with Schrems when I report on the proceedings of the first stage of the hearing tomorrow.
A few thoughts
It’s not as if U.S. corporations have been caught unaware. Many are building EU data centers with legal firewalls between their operations and the U.S. corporation. In the e-discovery world, there are at least two EDD vendors building e-discovery appliances that will be “EU only” with no connection to the U.S.
Whether any of this will help is questionable due to the power of “leverage”. In the case of a subsidiary (as was the case with Microsoft Ireland, for example), you’re deemed as owner to have enough power to compel certain activity. This stance is assisted by the refusal of U.S. law to acknowledge that anything else exists in the Universe: U.S. courts could care less that complying with a U.S. order for disclosure could cause the subsidiary to be in breach of local laws.
Note: to obtain a brilliant perspective of this issue I urge you to read U.S. Supreme Court Justice Stephen Breyer’s book The Court and the World which is a fascinating account of how an increasingly globalized and interdependent world influences the deliberations of America’s highest court and must influence all U.S. courts.
It was getting slightly better insofar that moving your HQ from the U.S. helped a bit. But Trump seems to be putting the brakes on that. And as I learned at the Lille event referenced above, the true test will be the attempts being made to defeat leverage through these big hosting projects and resales set ups: they’re mainly tests to see what amount of work needs to be done to create feasible proxies to indeed establish that sort of isolation. But in the case of a contractual relationship, if the DOJ can make it stand that you have set up such a contract to specifically work your way around U.S. law you have a problem too.
That latter point, by the way, is far more complicated anyway: hosting the data of your company outside your home jurisdiction still deems said data to remain under the jurisdiction of origin. I am baffled how so many U.S. companies who think that just hosting their data abroad somehow makes it magically exempt from jurisdictional law.