Simon McGarr is our guest on today’s podcast. He’s the solicitor representing Digital Rights Ireland, who were granted amicus curiae status in the case regarding the EU-US ‘Safe Harbour Agreement’, which the EU Court of Justice ruled invalid this week.
Click on the player above to listen to the show, or download it here: 21:34; 12MB; MP3.
The case arises out of a complaint by an Austrian man named Max Schrems, who asked the Irish Data Protection Commisioner to investigate whether his data held by Facebook in the US was adequately protected under EU Data protection law. The Commisioner initially dismissed his case, arguing that since Facebook was covered by the EU-US Safe Harbour Agreement, that there was no case to answer.
‘Safe Harbour’ sounds impressive, says Simon, but it amounts to nothing more than companies certifying themselves as providing ‘adequate protection’.
It’s a very peculiar thing to be called an agreement. It’s an exchange of letters between the European Commission and the US Government, where the Commission asked for reassurances in relation to how things are done in the United States with relation to data. And then a further list of names is kept by the US Government of companies who agree to mostly self-certify that they are behaving well towards European users’ data, and if you follow all those rules and you were on the list and you had done what was required in terms of self certification, then you were deemed to be part of the Safe Harbour agreement, as about 4,500 companies were.
Digital Rights Ireland and Mr Schrems argued that this was inadequate. It didn’t matter that Safe Harbour was agreed by the EU Commission: it simply didn’t measure up under the EU’s Charter of Fundamental Rights. The Court agreed.
What the court has said is that Data Protection rights aren’t just a matter of national legislation. They’re not just a matter of EU legislation: the Directive. They’re actually part of the Charter of Fundamental Rights. There’s now a separate Data Protection Right, separate and distinct, and in addition to your general Right to Privacy, written into the Charter of Fundamental Rights. The result is that when the Commission makes a decision in breach of that Charter, as the Court finds … it has the power to strike that decision down, and it did so.
Significantly, he explains, the ruling says that not only are Data Protection Commissioners permitted to investigate in spite of legislation, they are actually obliged to do so, and – if neccessary – to challenge the constitutionality of such legislation in court.
The data protection authorities of Europe – the independent overseers at national level – have been enormously strengthened by this ruling. They now have the power to make investigations, and indeed, not just the power, but an obligation is put on them by the court that they must investigate matters, even where there has been a Europe-wide decision issued from the European Commission, and if needs be they can take necessary litigation to challenge that European decision if their investigation discovers that the facts do not warrant the decision that has been made.
The ruling is set to have far -reaching implications, he says.
I think there’s no question but that it is significant, and I think it’s going to take a short period of time – not a long period of time for that significance to unfold out into the public gaze. We’ve seen a lot of holding statements issued in relation to ‘business carrying on as usual’, ‘no change’, ‘we can always use different methods of transferring data’, but those different methods – such as model contract clauses – rely on the same presumption that the Safe Harbour agreement relied on: that the United States Government wasn’t going to take a copy of all the data, a presumption which the Court has now effectively rebutted and struck down.
The judgement brings to the fore the essential ideological differences between US and European approaches to data protection.
There is no doubt but that the idea of personal data as a tradeable commodity is now anathema to the EU’s most fundamental laws. Mass surveillance is absolutely anathema to the fundamental rights of European Citizens. The European Court has said that in this case, and in the Digital Rights Ireland case, and in addition the Google Spain case has ruled on the limits of data as a profit centre, where the use of that data might contravene the personal rights of the individual, so what we see is a court that is very much staking out a series of case law precedents which say the privacy and dignity of the individual will have primacy over anything that a company, or indeed industry, may wish to use, and that includes the surveillance industry.
This ruling, he points out, carries the weight of constitutional law. The Charter of Fundamental Rights is “the bedrock document upon which the treaties, and all subsequent legislation, rest”.
So where does this leave EU-US relations, when it comes to digital business? Simon thinks that the court decision will strengthen Europe’s hand in data protection negotiations which have not been making progress. EU negotiators have already requested assurances of better data protection: now those requests carry the weight of a constitutional imperative.
“The commission can’t do a deal which trades away anything that the Court has found is fundamental to human rights. So the Commission now has an absolute red line. It cannot go lower in terms of protections than the court has found is required.”
Therefore, while businesses on both sides of the Atlantic will push for an agreement, in practice only the US has room to manouevre, as the Court decision makes much of the EU position non-negotiable.
“There’s no doubt that the Portarlington office of the Data Protection Commisioner finds itself at the sharp end of the entirety of Europe’s Data Protection regime”.
The task falls to the Irish Data Protection Commisioner to investigate Mr Schrems complaint against Facebook. Simon points out that the Commisioner’s office doesn’t have to start from square one. There is already considerable research on the shortfalls in the American data protection regime, including a report for the EU Commision which was used in evidence in the court case. “It’s up to the Irish Data Protection commisioner to decide the weight to give to that [in its investigation]”
Blacknight, Ireland’s leader in domains and hosting. 100% of our servers are hosted in Ireland. Where does your data live?is brought to you by