EU Privacy Litigation: United States Now Filing An Amicus Brief in Facebook Case

EU FlagBy Jason Liu

The United States will be filing an amicus brief in the ongoing EU case between privacy activist Max Schrems and Facebook. Although not filed yet, the brief will provide vital information on the U.S.’ stance on privacy and international data transfers.

The case comes about because the Data Protection Commissioner of Ireland sought a declaratory action in the Irish High Court, alleging that Facebook was illegally transferring EU citizens’ data to the U.S. under EU law.

Past Privacy Actions in Europe

In the related pivotal case invalidating the U.S.-E.U. Safe Harbor agreement, Max Schrems, an Austrian privacy activist and attorney, brought a prior complaint with the Data Protection Commission (in Ireland) that Facebook was illegally transferring EU citizen information to the U.S. Schrems claimed that the personal data he provided to Irish Facebook servers was also transferred to the U.S.

But what is the Safe Harbor in question? EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. The prior Safe Harbor agreement allowed U.S. companies to transfer EU citizen data to the U.S. if the U.S. government promised to protect the data.

Schrems claimed that the U.S. failed to provide legal protections against U.S. surveillance of data on U.S. servers. These claims were supported by the Edward Snowden revelations of 2013. The Snowden revelations included the NSA PRISM program that provided the U.S. government access to private industry servers of tech companies such as Google, Facebook, or Apple. Snowden also revealed surveillance of world leaders, XKeyscore (internet activity logging program), and various NSA practices used to overcome encryption and hacking methods.

Ultimately, the European Union Court of Justice (EUCJ) ruled that the Safe Harbor agreement was invalidated due to inadequate protection of EU citizens’ data to the U.S. in light of the Snowden revelations.

What is going on now?

Following the case, the Irish Data Protection Commissioner referred Schrems’ original complaint against Facebook to the Irish High Court and also the EUCJ. The current case is about Standard Contractual Clauses and the ability of tech companies to contract with EU citizens to have their data stored in U.S. servers. U.S. companies have argued the “model clauses” from template agreements provided by the EU Commission let EU member states send personal data to countries lacking “adequate levels” of protection under the 1998 Data Protection Act.

In response, Shrems stated that:

I see no way that the [EUCJ] can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see how there could be a solution.

What will be the U.S.’ amicus position?

Although unwritten, the U.S.’ amicus brief may contain stances from the U.S.-EU Privacy Shield that was recently ordered by the EU Commission. Notably, the new Privacy Shield will provide:

  • Strong obligations on companies and robust enforcement;
  • Redress options;
  • Clear safeguards and transparency obligations on U.S. government access; and
  • Annual joint review monitoring.

However, because the EU Order providing for the Privacy Shield was EU-centric, it has been difficult to discern which particular points are emphasized by the U.S. Thus, the amicus brief may be a unique opportunity to learn about the most compelling arguments of the U.S. in light of the new Privacy Shield.

Furthermore, although the amicus brief will be directed at international data transfers, it may also prove an important way to gauge how the U.S. views the domestic regulation of data. Through the Cybersecurity National Action Plan, the Obama administration has shown support for protecting privacy rights through the creation of the Federal Privacy Council.

Of course, any further insight into the U.S. treatment of consumer information is always welcome.

Image source: Pixabay

Could the E.U.-U.S. Privacy Shield Provide Greater Protection to U.S. Citizens’ Personal Data?

kenzieo_picBy Mackenzie Olson

The E.U.-U.S. Privacy Shield promises greater privacy protection for E.U. citizens’ personal data, but it provides no such assurances to U.S. citizens—even though consumers have become increasingly concerned about how companies use their personal information. However, as companies reconfigure their current privacy protocols to satisfy these new standards, U.S. citizens could realize a windfall.

In Europe, privacy is considered a fundamental right, though it is not in the U.S. Data protection safeguards are included in the E.U.’s charter, but there is no U.S. federal law that establishes a right to privacy. The Safe Harbor data transfer agreement of 2000 between the U.S. and E.U. previously dictated how companies could satisfy the heightened privacy requirements due their E.U. customers’ personal data. However, Safe Harbor is now defunct. In October 2015, the European Court of Justice struck down the agreement because it failed to protect E.U. citizens from U.S. government surveillance. Ever since Edward Snowden’s 2013 document leaks revealed details about the National Security Agency (N.S.A.)’s intelligence operations, Europeans have been concerned about how U.S. intelligence uses their personal data. Though the European Commission and U.S. Department of Commerce are still developing the details of the Privacy Shield and its text, officials state that an agreement should be reached by the second part of February of this year. Continue reading

U.S. Internet Giants (Probably) Hit Hard By European Safe Harbor Privacy Ruling

privacyBy Brooks Lindsay

The European Court of Justice ruled on October 6 to scuttle a 15-year data-transfer pact with the United States. This pact provided a “safe harbor” to over 4,000 transatlantic U.S. companies that claimed to satisfy “adequate” data-protection standards under European law. The “safe harbor” principles allowed U.S. companies operating in Europe, like Facebook and Google, to gather the private information of European citizens and transfer that data to U.S.-based servers, so long as those companies self-certified that they complied with the E.U.’s “adequacy” standards for privacy protection. The European court decided that these principles violated Europeans’ rights to privacy because they allowed American government authorities to gain easy access to Europeans’ online information through U.S.-located databases.

The Court’s ruling is in many ways a reaction to revelations over the past few years of U.S. government mass-surveillance programs, highlighted most poignantly by Edward Snowden’s leak in 2013. The Court’s ruling is based in large part on the premise that the U.S. government and U.S. companies can no longer credibly certify that they are protecting Europeans’ privacy and meeting Europe’s baseline data-protection standards. Continue reading