25 March 2015 - Yesterday I attended the Max Schrems/Facebook case at the European Court of Justice (ECJ) in Luxembourg. It's the now famous (soon-to-be infamous?) case of Austrian law student Max Schrems who nagged Ireland's data privacy police to investigate Facebook International.
[NOTE: I have written about the case several times. For background, see last year's post on the history of the case.]
In Luxembourg yesterday the joint was jumping. The courtroom was packed with 14 legal teams, including four from Ireland. The court itself has 15 members.
The Advocate General, Yves Bot, will deliver his opinion on 24 June 2015.
And events quickly snowballed into what one ECJ judge yesterday dubbed a "case of great principle". The beleaguered legal counsel for the European Commission (Bernhard Schima) was subjected to a pitiless cross-examination by judges at the EU's highest court. In what one pundit called "a slow and tormenting legal striptease", ECJ judges finally got Schima to admit that so-called "Safe Harbour" principles on what happens to EU citizens' data in the U.S. are not very safe at all.
Max Schrems's counsel framed the principle at issue as simply as possible: what has become of the fundamental right of all EU citizens to privacy in the era of Facebook and the NSA?
And there is a larger theme afoot, that of an ever more active EU judiciary. Last year the ECJ ruled against a European Union directive which mandates that telecom operators must retain all their customers' communications data for up to two years calling it a violation "of the fundamental EU rights to respect private life and for the protection of personal data". A few weeks ago a district court in The Hague struck down a Dutch law requiring retention by telecommunications companies of customer data.
But far more telling was this exchange yesterday:
Advocate general Yves Bot: "Let's imagine I am on Facebook and I decide my rights have been breached. If I don't see the European commission taking action, what recourse do I have open to me?"
Bernhard Schima, Counsel for the Commission:(after some hemming and hawing) "You might consider closing your Facebook account and revoking your consent".
Advocate general Yves Bot: "I anticipated that problem by never opening a Facebook account."
That an EU Commission executive advised self-help over Brussels help in securing privacy was a telling moment in this complex case.
Another key question for all participants was whether EU citizens can turn to their national data protection bodies if they feel the commission has failed them.
And a most crucial issue in the current U.S./EU negotiations over changes to Safe Harbor is the right for EU citizens and EU corporations to have access to U.S. courts to redress grievances, just as U.S. citizens and U.S. corporations can access EU courts.
The Court and European Parliament seem to be on the same page: scuttling or creating a new agreement might stifle cross border ecommerce but "strengthening protections for European citizens" is paramount.
As I noted in last year's post on the history of the case we have the obvious "two chairs" conundrum. US companies that participated in the NSA's PRISM program sit on two chairs: U.S. law requires them to spy on its customers, EU fundamental rights prohibits just that. At first sight one could feel bad for these companies. But the point made was: "let's face it: most of them have chosen to sit on these two chairs. They settled in Ireland to exploit differences in the tax code and pay almost no taxes. Make a choice".
I intend a detailed analysis of the case in the coming weeks (with Dutch, French, German, Italian and Spanish versions). Herewith some brief points about yesterday's proceeding:
1. The questions referred from the High Court of Ireland were not about the validity of Safe Harbor itself, but rather about the reach and or/limitations of the powers of national data protection authorities (DPAs) to suspend international data flows under certain conditions notwithstanding a Commission's finding of adequacy of a third country, in this case the U.S. under the Safe Harbor scheme.
2. I think the sharp line of questioning pursued by the judges, in particular the Rapporteur Judge Thomas von Danwitz (from Germany) and the Vice-President Koen (from Belgium as well as the President Vassilios Skouris (from Greece) indicate their serious doubts as to whether the Safe Harbour scheme provides today or indeed has ever provided
ab initio an adequate level of protection of personal data transferred to the US.
3.
And the Court left itself breathing room. It can choose the extreme path of declaring the Safe Harbor scheme invalid ab initio or choose instead to provide guidance to improve it with regard to both Directive 95/46/EC and the Charter of Fundamental Rights.
4. The key: von Danwitz 's incisive questions aimed at exposing what he considers to be central flaws of law and substance of Safe Harbor as it relates to Directive 95/46 and the Charter of Fundamental Rights.
For instance:
- he pointed to the vague and conditional language in the Safe Harbor decision that point to a rebuttable presumption rather than to a firm finding of adequacy
- he challenged how the Commission can argue that the US provides an adequate level of protection when everything regulated under the Safe Harbor can be set aside and limited by the requirements of U.S. law
- he asked why the Commission does not suspend Safe Harbor despite it having just told the Court that it could not confirm that the US remains adequate
- he asked whether the requirement that a third country must "ensure", i.e. guarantee, an adequate level of protection means that the third country must carry out some form of positive obligation (e.g. enter into an international agreement)
- he asked the Commission to explain what empowers it to subject the powers of independent national DPAs to restrictive conditions and whether it believes that DPAs are banned from acting while the Commission is in discussions with the US.
5. Lenaerts had one clear objective: he stated that even if this case is not prima facie about the validity of Safe Harbor (one can instead talk about compatibility), there are no time limits imposed on the Court to determine whether an act, even one taken 15 years ago, was invalid or incompatible with the Charter.
6. And the Irish DPA's representative had to struggle with the elephant in the room: while the Court said the capacity/resources of Ireland to pursue complaints might be limited, the Irish DPA has shown a "rare form of restraint" ... targeted more at the DPA's apparent reluctance to pursue big US corporations headquartered in Dublin.
Schrems, the European Parliament and Digital Rights Ireland have called for the invalidation of Safe Harbor, one representative calling it a "safe harbor for pirates" and calling for its repeal. All have stressed the need for effective judicial remedies available to EU data subjects as critical to any adequacy finding and which they believed was sorely lacking in the current Safe Harbor scheme
The UK and Ireland were the lone voices advocating the view that DPAs were bound by the COM's adequacy finding, that the current Safe Harbor scheme provided sufficient redress mechanisms, and that it was for the Commission to act and negotiate with the US to fix any shortcomings. NOTE: neither Ireland nor the UK is represented on the bench for this case.
As noted, the Advocate General, Yves Bot, will deliver his opinion on 24 June 2015. I need to get cracking on my detailed analysis.
And in a final note, hurrah for crowd funding! The case was backed by a crowd funding platform (crowd4privacy.org) which backs the privacy campaigners against legal costs. Schrems sent out a big "thank you" and noted without this crowd funding they would not have been able to fund this case all the way to the ECJ.
