By Jason Liu
The United States will be filing an amicus brief in the ongoing EU case between privacy activist Max Schrems and Facebook. Although not filed yet, the brief will provide vital information on the U.S.’ stance on privacy and international data transfers.
The case comes about because the Data Protection Commissioner of Ireland sought a declaratory action in the Irish High Court, alleging that Facebook was illegally transferring EU citizens’ data to the U.S. under EU law.
Past Privacy Actions in Europe
In the related pivotal case invalidating the U.S.-E.U. Safe Harbor agreement, Max Schrems, an Austrian privacy activist and attorney, brought a prior complaint with the Data Protection Commission (in Ireland) that Facebook was illegally transferring EU citizen information to the U.S. Schrems claimed that the personal data he provided to Irish Facebook servers was also transferred to the U.S.
But what is the Safe Harbor in question? EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. The prior Safe Harbor agreement allowed U.S. companies to transfer EU citizen data to the U.S. if the U.S. government promised to protect the data.
Schrems claimed that the U.S. failed to provide legal protections against U.S. surveillance of data on U.S. servers. These claims were supported by the Edward Snowden revelations of 2013. The Snowden revelations included the NSA PRISM program that provided the U.S. government access to private industry servers of tech companies such as Google, Facebook, or Apple. Snowden also revealed surveillance of world leaders, XKeyscore (internet activity logging program), and various NSA practices used to overcome encryption and hacking methods.
Ultimately, the European Union Court of Justice (EUCJ) ruled that the Safe Harbor agreement was invalidated due to inadequate protection of EU citizens’ data to the U.S. in light of the Snowden revelations.
What is going on now?
Following the case, the Irish Data Protection Commissioner referred Schrems’ original complaint against Facebook to the Irish High Court and also the EUCJ. The current case is about Standard Contractual Clauses and the ability of tech companies to contract with EU citizens to have their data stored in U.S. servers. U.S. companies have argued the “model clauses” from template agreements provided by the EU Commission let EU member states send personal data to countries lacking “adequate levels” of protection under the 1998 Data Protection Act.
In response, Shrems stated that:
I see no way that the [EUCJ] can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see how there could be a solution.
What will be the U.S.’ amicus position?
Although unwritten, the U.S.’ amicus brief may contain stances from the U.S.-EU Privacy Shield that was recently ordered by the EU Commission. Notably, the new Privacy Shield will provide:
- Strong obligations on companies and robust enforcement;
- Redress options;
- Clear safeguards and transparency obligations on U.S. government access; and
- Annual joint review monitoring.
However, because the EU Order providing for the Privacy Shield was EU-centric, it has been difficult to discern which particular points are emphasized by the U.S. Thus, the amicus brief may be a unique opportunity to learn about the most compelling arguments of the U.S. in light of the new Privacy Shield.
Furthermore, although the amicus brief will be directed at international data transfers, it may also prove an important way to gauge how the U.S. views the domestic regulation of data. Through the Cybersecurity National Action Plan, the Obama administration has shown support for protecting privacy rights through the creation of the Federal Privacy Council.
Of course, any further insight into the U.S. treatment of consumer information is always welcome.
Image source: Pixabay