Facebook’s Efforts to Squash Scrutiny of the EU-US Privacy Shield
Currently, Facebook is before the Supreme Court in Ireland asking to curtail judicial powers that allow courts to refer questions on the EU-US Privacy Shield Agreement to the CJEU. This is part of an ongoing litigation of Max Schrems, who was still an Austrian law student at the start of the litigation, against the Irish Data Protection Commission (DPC) in the jurisdiction of Ireland where Facebook currently holds its EU headquarters for tax and company law purposes. The litigation has the capacity to change the face of the transatlantic relationship, not least now, at a critical juncture of fragility and uncertainty and represents an extraordinary step.
A Report from the Commission to the European Parliament and the Council on the first annual review of the EU-U.S. Privacy Shield in 2017 made modest recommendations, albeit urged the US to urgently fill U.S. appointments to the Privacy Civil Liberties Oversight Board (“PCLOB”), an independent privacy oversight body. The European Parliament looks likely to vote for suspension of the Privacy Shield unless considerable changes are made to comply with EU data protection rules by 1 September 2018, as to data control, remedies and oversight (European Parliament resolution of 5 July 2018 on the adequacy of the protection afforded by the EU-US Privacy Shield). Facebook’s decision to shift its headquarters from Ireland to the US for data control purposes is singled out by the European Parliament as providing inadequate protection for EU citizens. There is increasing concern about the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a US law that grants the US and foreign police access to personal data across borders, which conflicts sharply with EU data protection laws. Facebook and the Privacy Shield look equally vulnerable these days.
Schrems has already had an extraordinary victory in 2015 to strike down the EU-US Safe Harbour Agreement. In Schrems v. Data Protection Commission the Court upheld his complaint to the Irish Data Protection Commissioner (DPC) that it was bound by the Commission Decision setting up the Safe Harbour Regime, and needed to have regard to the EU Charter of Fundamental Rights.
EU-US Privacy Shield: modest improvements
A new replacement for Safe Harbour emerged in the form of the EU-US Privacy Shield agreement that was adopted in 2016. It purports to follow Safe Harbour with modest institutional innovations and largely replicates the self-certification approach of Safe Harbour. Scattered across a series of lengthy ‘letters’ its institutionalised dimensions arguably remain weak and highly ‘localised’. The Privacy Shield institutionalises transatlantic data processing through the evolution of oversight layers (Data Processing Authorities, Ombudsman, Judicial authorities). Yet there are many who argue, for example, that insufficient distance exists between the Ombudsman and the intelligence community that is required for it to act in an independent manner and the issue has been ongoing for some time (Vĕra Jourová and Emily O’Reilly, ‘Follow-up reply from the European Ombudsman to Commissioner Jourová on the use of the title “Ombudsperson” in the EU-US Privacy Shield agreement’).
The questions referred to the CJEU on the Privacy Shield
The questions referred recently by the Irish High Court ‘Schrems II’ – incidentally, the judge who referred Schrems I was recently appointed to the CJEU as the Irish nominee (Mr. Justice Dr. Gerard Hogan SC) – show in no small point how the Privacy Shield amounted to an extraordinarily complex legal bargain struck between the EU and US. The Irish Court has asked the CJEU an array of issues in 11 questions on the model contractual clauses in contracts (Standard Contractual Clauses) and powers of a DPC to terminate data flows in the so-called Schrems II case. These include: Whose laws must satisfy whose? How should US law be understood and interpreted in Europe precisely (The CJEU is currently being asked how to understand Commission Decision on Standard Contractual Clauses in Data SCC Decision 2010/87/EU as amended by Commission Decision 2016/2297: on standard contractual clauses for the transfer of personal data to third countries and to processors established in such countries, under Directive 95/46/EC of the European Parliament and of the Council). It may consider: where there is a violation of rights through transfer, what precisely is the comparator? The Charter, EU treaties, secondary legislation e.g. a Directive or the European Convention on Human Rights (ECHR)? The adequacy of the Ombudsman is also the subject of the reference.
Facebook’s procedural appeal to the Irish Supreme Court
It is quite significant that Facebook has sought to row back on the powers of national courts at lower level to refer questions to the CJEU. It has in particular attacked the ‘untrammelled discretion’ of national courts under Irish Constitutional Law to refer questions to the CJEU and attacked a legacy of important Irish case law (Data Protection Commissioner & anor -v- Facebook Ireland Limited & anor [2018] IESC 38). It is also a fundamental principle of EU constitutional law that the CJEU has always generously interpreted the powers of lower national courts to refer questions to them under Article 267 TFEU.
The Irish Supreme Court has agreed to this procedural step, of hearing Facebook’s complaints, to be considered before the end of the year – and thus after the September deadline of the European Parliament. In all likelihood, Facebook’s pleas show the significant procedural lengths that it is willing to go to in litigation to quash scrutiny of the transatlantic data agreement.
Is Facebook or the Privacy Shield most vulnerable?
The September deadline imposed by the European Parliament is of note. In its resolution of July 2018, it complained about the failure of the US to appoint officials to the PCLOB. Since this resolution, the US administration has appointed members thereto. The European Parliament continues to vociferously challenge the authority of Facebook in light of its handling of the data of 1.5 million citizens in the Cambridge Analytica saga. Its views were made known to Facebooks CEO, Zuckerberg, who testified before the European Parliament in May 2018. The soft power here of the European Parliament in the face of hard power litigation at national and European level makes for a significant duel and the Privacy Shield and Facebook’s transatlantic data flows look like being in equal jeopardy.