US government joins Facebook EU-US data transfer case as “amicus”

Tuesday, July 19 2016, 12:00 CET
US government joins Facebook EU-US data transfer case as “amicus”
Today the Irish High Court has joined the United States Government to become an “amicus curiae”1 in the
pending European case over Facebook’s involvement in US mass surveillance.
The court also accepted three applications from the US privacy NGOs EPIC, but also the applications from the
industry lobby groups BSA and DigitalEurope.
Applications by US-NGOs EFF, the ACLU and the Irish human rights NGO ICCL were rejected, as well as the
Irish Human Rights & Equality Commission and the Irish industry group IBEC.
Schrems: “The fact that the US government intervenes in this lawsuit, shows that we hit them from a relevant angle.
The US can largely ignore the political critique on US mass surveillance, but it cannot ignore the economic relevance
of EU-US data flows.
The solution of this issue can however not be that the EU waives its fundamental rights, but that the US gives proper
legal protection to the data of foreigners, when they use US services. Especially as ‘cloud’ services are promoted, the
US government has to ensure proper protection of stored information.
I hope that the IT industry in the US will also push in this direction once the see the consequences of overreaching US
surveillance laws for their international business.”
Max Schrems (German): “Dass die US-Regierung nun probiert an diesem Fall teilzunehmen, zeigt dass man sie mit
dieser Klage doch an einer relevanten Stelle trifft. Die USA können zwar die Kritik an der Massenüberwachung
ignorieren, aber nicht die wirtschaftliche Relevanz von EU-US Datenflüssen.
Die Lösung dieses Konflikts kann jedoch nicht sein, dass wir EU Grundrechte einstampfen, sondern dass die USA auch
Ausländern entsprechende Datenschutzrechte zugestehen, wenn sie US-Dienste nutzen. Besonders wenn man
‚Cloud‘-Dienste ausbauen will, muss die US-Regierung auch für Rechtssicherheit für ausländische Nutzer sorgen.
Ich hoffe dass hier auch die IT-Industrie in den USA verstärkt für Reformen eintritt, wenn die Konsequenzen von
überbordenden Überwachungsgesetzen für das Auslandsgeschäft klarer werden.“
The case concerns transfers of personal data between Facebook’s international headquarter in Dublin and
Facebook in the United States. Under EU data protection law2 and CJEU case law3 such data transfers are
only permissible if Facebook Ireland can guarantee “essentially equivalent” protection and protection from
mass surveillance.
For reasons of tax avoidance 84%4 of all worldwide Facebook users are managed in Dublin, Ireland, but their
personal data is sent to the United Stated for processing. This data transfer, crucial to Facebook’s business
and tax model, is now under attack by the pending case.
Currently US laws, like FISA allow the US government to conduct mass access to Facebook data, as under the
“PRISM” program, uncovered by Edward Snowden. On October 6th 2015 the Court of Justice of the European
See Articles 25 and 26 of Directive 95/46/EC
See C-362/14 Schrems.
Union (CJEU) has already invalidated the so-called “Safe Harbor” system, allowing smooth data transfers
between the United States and the European Union. The CJEU held that “Safe Harbor” did not provide
“essentially equivalent” protection and that US mass surveillance violates the essence of the fundamental
right to privacy and legal redress.
The case was decided on foot of a complaint with the Irish Data Protection Commissioner (DPC) by the
lawyer and privacy activist Max Schrems. The DPC is now (again) trying to refer the very same case to the
CJEU, as Facebook now claims another legal basis for its EU-US data transfers, after “Safe Harbor” was
invalidated. Mr Schrems claims that these “alternatives” are equally violating his fundamental rights as the
previous “Safe Harbor” system did.
Today’s hearing only concerned “amicus” applications. Further hearings will deal with the case itself. The
legal status of certain data transfers between the EU (as the largest market in the word) and the US (as the
dominant provider of IT services) will be at challenge in these cases. Many other IT giants like Microsoft,
Google, Apple, Yahoo or Skype are equally affected.
Further Information:
Case Name:
DPC v. Facebook Ireland Ltd and Maximilian Schrems (Record Number: 2016 No 4809P)
Max Schrems: [email protected] / +43 660 1616327 / @maxschrems
Data Protection Commissioner: [email protected] / +353 57 864 2521
Irish Court Services: Link