Issue link: https://maltatoday.uberflip.com/i/1140325
EUROPE TECHNOLOGY maltatoday | WEDNESDAY • 10 JULY 2019 12 AUSTRIAN lawyer and pri- vacy activist Max Schrems is calling for the Irish data pro- tection authority to finally take action to enforce Euro- pean data protection rules on Facebook. The call comes as the Court of Justice of the European Union (CJEU) hears a case on EU-US data transfers and mass surveillance by the US govern- ment. The case centres around a complaint by Schrems against Facebook in 2013 as a result of revelations by whistleblower Edward Snowden's disclosure that Facebook allows the US intelligence services access to personal data of Europeans un- der surveillance programmes such as Prism. The complaint seeks to stop EU-US data transfers of Fa- cebook, but so far the Irish data protection commissioner (DPC) has not taken any con- crete action aimed at doing so. The case was first rejected by the Irish DPC in 2013, then subject to judicial review in Ireland and a reference to the CJEU. In 2015 the CJEU ruled that the Safe Harbor agreement that allowed EU-US data transfers was invalid, and that the Irish DPC had to investi- gate the case. At the end of 2015, the DPC informed Schrems that Face- book had in fact never relied on the Safe Harbor agree- ment, but had instead relied on standard contractual claus- es (SCCs) as a mechanism to transfer data from the EU to the US. In response, Schrems adapt- ed his complaint to the trans- fers being made under SCCs and called for the end of data transfers to Facebook in the US because they could make the data available to the Na- tional Security Agency (NSA). The DPC conducted an in- vestigation from December 2015 to spring 2016, but in- stead of deciding on the com- plaint, the DPC filed a lawsuit against Facebook and Schrems at the Irish High Court in 2016 to refer further questions to the CJEU. After more than six weeks of hearings, the Irish High Court found that the US government engaged in "mass processing" of European personal data and referred eleven questions to the CJEU for a second time in 2018. The CJEU scheduled the case for 9 July 2019, with a judgment expected before the end of the year. After the judgement of the CJEU, the DPC will finally have to decide on the com- plaint, and the decision could again be subject to appeals by Facebook or Schrems. In the latest case, the Irish DPC and Schrems both con- tend that US surveillance laws violate fundamental rights to privacy, data protection, and redress under European law. However, the data protection commissioner Helen Dixon claims she has no power to solve the issue. According to Schrems, be- cause the data transfer mecha- nism Facebook (SCCs) does not foresee such a situation, the clauses themselves need to be invalidated. This would mean that data transfers to any non-EU coun- try under this instrument would have to be stopped, which could have a huge im- pact on companies that rely on SCCs for running their busi- nesses. Facebook takes the view that US law does not go beyond what is legal under EU law. Fa- cebook also questions whether the EU has any jurisdiction on "national security" cases. Fa- cebook sees no problem with continuing to transfer data to the US. Facebook also relies on the European Commission's as- sessment of US law in the so- called Privacy Shield decision, which says that US surveil- lance laws comply with EU re- quirements. Although Schrems agrees with the DPC on the problem, he proposes a more measured solution, arguing that article 4 of SCCs permits the DPC to stop individual data transfers like Facebook's. Schrems says that the Irish DPC has a duty to act, instead of referring the case back to the CJEU. On Facebook's reliance on the "Privacy Shield", Schrems takes the view that the Privacy Shield Decision by the Euro- pean Commission does not adequately describe US sur- veillance laws and is therefore not able to provide adequate privacy protections, and there- fore should be invalidated. The European Commission is expected to defend both its de- cisions on the SCCs and Priva- cy Shield. It is expected to side with the US and Facebook on the view that there is no viola- tion of fundamental rights in the US, but also acknowledge that the DPC has the power to solve the issue itself if the CJEU sees a violation of funda- mental rights in the US. In a statement issued ahead of the case, Schrems said he is proposing a measured so- lution. "The Irish DPC must simply enforce the rules prop- erly, instead of kicking the case back to Luxembourg over and over. "This case has been pending for six years. Over these six years, the DPC has actually de- cided in a mere 2%-3% of the cases that were brought before it. We don't have a problem with SCCs, we have a problem with enforcement." Commenting on the case, Ad- am Rose, data protection part- ner at legal firm Mishcon de Reya, said Schrems previously convinced the CJEU to agree with his argument that the bi- lateral agreement between the EU and the US, under the title of the Safe Harbor scheme, did not give Europeans sufficient protection for their personal data if it was sent to the US, and as a result the EU and the US agreed a new deal, known as the Privacy Shield. "The model clauses, which Mr Schrems is now challeng- ing, presumably face the same limitations and loopholes as the Safe Harbor scheme did, and one would expect that the European Court will again agree with him," said Rose. "If that happens, it blows a massive hole through the sys- tem set up some years ago to enable the smooth transfer of personal data from the EU to the US." European Court hears case on EU-US data transfers Facebook could be forced to rethink its legal position regarding transfers of data of EU citizens to the US, as the CJEU considers the validity of standard contractual clauses that many businesses rely on