[kictanet] Fwd: [Internet Policy] Irish Court Throws U.S.-EU Data Transfers Into Uncertainty

Barrack Otieno otieno.barrack at gmail.com
Wed Oct 4 09:35:06 EAT 2017 

Listers,

FYI

Regards

---------- Forwarded message ----------
From: Joly MacFie <joly at punkcast.com>
Date: Tue, 3 Oct 2017 16:42:44 -0400
Subject: [Internet Policy] Irish Court Throws U.S.-EU Data Transfers
Into Uncertainty
To: "internetpolicy at elists.isoc.org" <InternetPolicy at elists.isoc.org>

This just in. In the UK we used to call this "throwing a wobbler'.

http://www.therecorder.com/id=1202799516015/Irish-Court-Throws-USEU-Data-Transfers-Into-Uncertainty?mcode=1202617072607&curindex=0&slreturn=20170903164041

A decision Tuesday by Ireland's High Court in the case brought by Austrian
privacy activist Max Schrems has cast new uncertainty
<http://www.therecorder.com/id=1202781274731/The-Irish-Case-That-Could-Upend-USEU-Data-Transfers-Again?mcode=0&curindex=0&curpage=ALL>
on
the legal tool that Facebook and thousands of other U.S. companies use to
transfer personal data from their operations in the European Union.

Irish High Court Justice Caroline Costello in a highly anticipated ruling
<http://www.europe-v-facebook.org/sh2/HCJ.pdf> said the Irish Data
Protection Commissioner had raised "well-founded concerns" about whether
U.S. surveillance practices deny EU citizens fundamental rights once their
data is transferred to the U.S.

Costello's decision tees up yet another case at the Court of Justice for
the European Union (CJEU) in Luxembourg—the EU's highest court—to determine
the validity of "Standard Contractual Clauses," a key legal tool companies
use to transfer EU citizens' personal data outside the bloc. A final
decision is likely still years away.

"Standard Contract Clauses provide critical safeguards to ensure that
Europeans' data is protected once transferred to companies that operate in
the U.S. or elsewhere around the globe, and are used by thousands of
companies to do business," Facebook said in a statement. "They are
essential to companies of all sizes, and upholding them is critical to
ensuring the economy can continue to grow without disruption."

How the EU's highest court will rule will be influenced in part by how
Costello frames her formal question of what is to be decided. The justice
still has yet to determine that, and both Facebook and Ireland's Data
Protection Commissioner are expected to weigh in beforehand.

The immediate practical impact of the ruling is hard to assess because the
EU high court's decision is unlikely to come for years and because of
the shifting
legal landscape
<http://www.law.com/sites/almstaff/2017/06/13/podcast-what-you-need-to-know-about-the-future-us-eu-data-regime/>
in
Europe around data privacy. The EU's new General Data Protection
Regulation, which takes effect in 2018, would require substantial updates
to standard contractual clauses (SCCs) anyway.

But the referral of the case to the CJEU creates the possibility that the
EU's highest court will find that those clauses, no matter how they are
constructed, are invalid because of U.S. surveillance practices. In other
words, even if companies spend the next year making SCCs compliant under
the new regulation, there is risk that they could be wiped away.

The case may also invite a repeat of the EU high court's 2015 ruling on a
separate legal tool for transatlantic data transfers, then known as "Safe
Harbor." After being struck down by the high court—in a case that also
started with a complaint by Schrems to the Irish data protection
commissioners—the U.S. and EU negotiated a new framework called "Privacy
Shield."

But in her ruling, Costello attacked some of the new features of the
Privacy Shield arrangement as deficient. Specifically, she noted that its
creation of a privacy "Ombudsman" at the U.S. State Department to field
concerns about how EU citizens' data are handled "will neither confirm nor
deny whether the individual has been the target of surveillance nor will
the Ombudsperson confirm the specific remedy that was applied."

Facebook, whose lead U.S. counsel in the case is Joshua Lipshutz of Gibson,
Dunn & Crutcher, had tried to convince Justice Costello that the U.S.
surveillance practices are reigned in by substantial oversight and laws
that prevent abuse of privacy, consistent with EU law. Former White House
privacy expert and Alston & Bird attorney Peter Swire and Stephen Vladeck
of the University of Texas School of Law also offered testimony for
Facebook.

But Costello was not persuaded. "Quite clearly there are extensive rules to
ensure that data is obtained in accordance with law and data, once
obtained, is not misused. This is not the same as providing a remedy where
the rules are broken and data is unlawfully collected or otherwise
misused," she wrote in her ruling. (The justice underscored that she was
not passing a value judgment on the U.S. legal regime but only assessing
whether there was a real question of whether it meets the standards of EU
privacy law.)

She cited U.S. Supreme Court decisions that she said had made it more
difficult for plaintiffs to establish standing in challenging surveillance
practices, including* Clapper v. Amnesty International USA*. That
case—which divided the court 5-4—sought to challenge Section 702 of the
Foreign Intelligence Surveillance Act, which created new procedures for
authorizing electronic surveillance of non-U.S. persons abroad.

Schrems, in a statement <http://www.europe-v-facebook.org/sh2/PA.pdf>,
welcomed the Irish High Court's decision. "It is important that a neutral
court outside of the U.S. has summarized the facts on US surveillance in a
judgment, after diving through more than 45,000 pages of documents in a
five-week hearing," he said. "Facebook seems to have lost in every argument
they were making."

In addition to Gibson Dunn, Facebook is represented by Irish firm Mason,
Hayes & Curran. The main barristers for Facebook are Paul Gallagher, a
former Irish attorney general, and Niamh Hyland. Dublin solicitors firm
Ahern Rudden Quigley have been representing Schrems; the principal
barrister arguing on his behalf was Eoin McCullough.


Ben Hancock is a San Francisco-based reporter covering litigation,
technology, finance, and the future of law. He can be reached via email at
bhancock at alm.com
<https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=bhancock@alm.com>. On
Twitter: @benghancock <https://twitter.com/@benghancock>

-- 
---------------------------------------------------------------
Joly MacFie  218 565 9365 Skype:punkcast
--------------------------------------------------------------
-



-- 
Barrack O. Otieno
+254721325277
+254733206359
Skype: barrack.otieno
PGP ID: 0x2611D86A

More information about the KICTANet mailing list