Watchdog takes bizarre legal route in data privacy case

Analysis: Data commissioner takes needlessly costly route in Schrems case

Data Protection Commissioner Helen Dixon. Photograph: Cyril Byrne
Data Protection Commissioner Helen Dixon. Photograph: Cyril Byrne

One of the most closely watched, internationally significant cases relating to data privacy and commercial activity is currently before the court in Ireland.

That's the convoluted case taken in the Commercial Court by the Office of the Data Protection Commissioner (ODPC) against Facebook and the Austrian Max Schrems.

The case arises out of last year's European Court of Justice (ECJ) decision that the ODPC had a duty to investigate Schrems's complaint against Facebook Ireland regarding the handling of his data in the United States.

Safe Harbour

In that decision, the ECJ effectively invalidated the old EU/US-agreed Safe Harbour principles. These theoretically ensured European data was given the same protections in the US as under European law but – as the justices rightly noted – was a flimsy construct even before you considered whistleblower Edward Snowden’s evidence of large-scale US surveillance and data-gathering programmes involving companies including, Snowden alleged, Facebook.

READ MORE

In June, the EU confirmed a controversial Safe Harbour replacement, called Privacy Shield, to address the concerns raised in the Schrems decision. Does it? Well, the article 29 working group of Europe's data protection authorities this week announced continuing reservations with Privacy Shield.

Commercial Court

Meanwhile, following the ECJ ruling, the High Court instructed Data Protection Commissioner Helen Dixon to conduct an investigation, in which she ruled that Schrems had a valid complaint.

However (and this is where it gets confusing), before going further she asked the Commercial Court here to consider an issue of key import to many international businesses.

This is whether companies could safely opt to use private contracts called model contracts or standard contractual clauses, to exchange data. Facebook used these post-Schrems and pre-Privacy Shield.

Dixon's draft decision regarding Schrems's complaint indicates that model clauses are invalid, as they fail to address the same concerns raised by the ECJ over Safe Harbour. Two weeks ago, former US federal trade commissioner Julie Brill – who helped negotiate Privacy Shield – said in Dublin that she doubted model contracts were adequate, given that they were private contracts with little transparency.

Yet model contracts continue to be used by many companies, especially multinationals. Many of these, such as Amazon, told customers that data transfers post-Schrems were covered by model contracts. The European Commission itself said –in a wishy-washy way – that they were too. Probably.

The importance of the model contracts issue and this Irish case is such that the US Government, in a rare move, successfully asked to be appointed ‘amicus curiae’ — an informed advisor — to the court. So too did US privacy organisation the  Electronic Privacy Information Centre (EPIC).

Bizarre route

But the ODPC has chosen a bizarre route to ask this critical question. Strangely, it is taking a Commercial Court action to request a referral to the ECJ on the point, naming Facebook and Schrems as defendants.

This strategy is baffling (especially naming Schrems as a co-defendant. Why?). Perhaps the ODPC reasoned that the case would be fast-tracked in the Commercial Court. But that has been proven wrong as of this week, when the judge put back the case until February next year, because of the need to find adequate (two weeks) court time. Facebook, predictably, had indicated it needed significant time to prepare its case.

Costly court time

That’s going to be costly time, because the Commercial Court is many times more expensive than other courts.

On past example, costs could be expected to run in excess of a million euro for a two-week case. The entire annual budget of the ODPC is €4million. For Facebook, which earned $18 billion in revenue last year, money isn’t an issue. For the ODPC, (under)funded by taxpayers, it should be.

For Facebook, the delay will no doubt be handy as it builds a case in which it told the court that it intends to dispute the findings of fact for the ODPC’s decision, facts based on Snowden’s damaging accusations. This case, in short, is a rare chance for Facebook to make a very public defence against Snowden’s allegations. No wonder the US government is eager to be involved.

Better alternatives

There were better, more cost-effective and faster approaches to decide this issue. The ODPC could have just asked the High Court to advise on its draft decision, and refer a question to the ECJ on model contracts. Or it could have issued a final decision and left Facebook (or Schrems) to appeal to the considerably less expensive Circuit Court, at a cost of about €15,000.

Instead, we are looking at a high-cost decision from the Commercial Court in February. A referral to the ECJ then typically takes another 12-18 months, pushing any model contracts ruling into 2018.

By that point, the whole issue is likely to be moot. Either another country will fast track a model contracts case or the ECJ likely will have heard a challenge to Privacy Shield.

If deemed  adequate, Privacy Shield will be the easier, preferable option for data transfers. If inadequate, transatlantic business will be in a state of emergency and model contracts won’t be a reliable answer.