Facebook and Max Schrems united in dissatisfaction with DPC

Ireland’s Data Protection Commissioner is pleasing no one with ongoing privacy case

Austrian data protection campaigner Max Schrems: “I could be financially ruined, just because I want my rights respected.” Photograph: Julien Warnand/EPA
Austrian data protection campaigner Max Schrems: “I could be financially ruined, just because I want my rights respected.” Photograph: Julien Warnand/EPA

If a regulator annoys all parties in a case equally, perhaps it's doing something right. But today the Commercial Court will hear why Ireland's Data Protection Commissioner (DPC), in the biggest case it has ever faced, is doing everything wrong.

So wrong that, in a rare moment of agreement, it has united Facebook and Austrian data protection campaigner Max Schrems in their dissatisfaction with the DPC.

Three years ago Mr Schrems accused the US social network of breaking European privacy law because, when it transfers its European users’ data to servers in the US, it cannot guarantee that the information isn’t accessed by US intelligence.

Facebook deny the Schrems allegations but, in a landmark case last year, Europe’s highest court sided with the Austrian man and shut down Safe Harbour, the major data transmission channel.

READ MORE

The Court of Justice of the European Union (CJEU) in Luxembourg ruled that privacy provisions in Safe Harbour, developed by the European Commission in 2000, made a mockery of European citizens' fundamental right to privacy.

But the case didn’t end there because data transfers to the US have not ceased. Facebook – and countless other companies operating on both sides of the Atlantic – have other legal means to transfer data stateside.

The case continuing today is about one of these alternative channels, called Standard Contractual Clauses (SCC).

Legal clarity

The DPC Helen Dixon says she has doubts that SCCs are any more legal than Safe Harbour and wants the Irish court to ask Luxembourg – the masters of the EU treaties – if this is the case. So if Ms Dixon is seeking clarity on this point of law, why is everyone annoyed with her?

For one because, despite her stated concerns, the DPC has gone to court with a draft, rather than a final, decision on the matter.

Counsel for the DPC says the Portarlington-based regulator cannot come to a final decision until the CJEU rules on the legality of SCCs. In a rare moment of agreement, counsel for Facebook and Mr Schrems accuse the DPC of putting the cart before the horse: asking Europe’s highest court to rule on a point of data protection law before a national regular issues its final decision.

Both sides say the DPC has left them in the dark over evidence and strategy of its investigation. For Facebook the DPC has, in legal terms, left its multibillion dollar international operations – all managed from Dublin – effectively driving by sight.

The DPC’s approach to the case could have huge economic implications, so vast that Facebook and Schrems have been joined in the case by the US government and several US lobby groups.

The US government and several US software and privacy lobby groups have been accepted as amicii curiae (assistants to the court on legal issues) in Dublin and, later, in Luxembourg. They told the Dublin court that blocking other data channels alongside Safe Harbour would cost the European economy €143 billion annually.

Other channels

A final point of annoyance: Facebook admits it doesn’t rely exclusively on SCCs to transfer data. So why, then, has the DPC asked for legal clarity on just SCCs and not all data channels used by Facebook?

Taking the channels one at a time means the Facebook v Schrems case – already running for three years – could drag on into the next decade, with multiple, costly trips to the Commercial Court.

“The DPC says it potentially wants legal costs from me, which could stretch into hundreds of thousands of euro,” said Mr Schrems. “I could be financially ruined, just because I want my rights respected.”

Not for the first time in recent years, experienced data protection watchers are watching through their hands as, on yet another case with international consequences, the Irish DPC pursues a legal strategy that no one else can discern. Is it in over its head, they ask each other, or kicking as many cans down the road as possible? Perhaps both?

Ahead of today’s next round – and more doomsday scenarios likely about the high costs of halting transatlantic data transfers vital to the EU economy – it’s worth recalling that this case is not about private companies’ economic interests. It is about whether EU citizens’ right to privacy is fundamental – or negotiable.