See www.europe-v-facebook.org/PA_MCs.pdf for the latest version of this update. May 25th 2016, Version 2 Rapid Press Update: Facebook & NSA-Surveillance: Following “Safe Harbor” decision, Irish Data Protection Commissioner to bring EU-US data flows before CJEU again Yesterday night, we were informed that the Irish Data Protection Commissioner (DPC) is planning to refer to the Court of Justice of the European Union (CJEU) to determine if Facebook can continue to transfer data from the EU to the US after the invalidation of the “Safe Harbor” system by the Court on October 6th 2015 and given continues application of US mass surveillance laws. If not, Facebook would be banned from transferring data from its international headquarter in Dublin, Ireland to the United States. Under current CJEU case law, it is highly unlikely that Facebook Ireland would could continue sharing data with the US authorities. Link: First report by the Financial Times Facebook replaced “Safe Harbor” with “Model Contracts” After the CJEU has invalidated the “Safe Harbor” system, which allowed rather seamless data transfers from the European Union to the United States, Facebook’s international headquarter “Facebook Ireland Ltd” in Dublin, continued to transfer user data to the United States, where it is subject to NSA mass surveillance. Instead of “Safe Harbor”, Facebook uses so-called “Model Clauses”, which allow transferring data, based on a contract between Facebook Ireland and Facebook USA. Link: Copy of Facebook’s Model Clauses [PDF] Link: Information by the European Commission on Model Clauses However, this switch of a legal basis for data transfers did not change the underlying problem of applicable US mass surveillance laws and the lack of legal redress in the United States, especially for foreign nationals. The CJEU ruled on October 6th 2015 in C-362/14 Schrems -v- Data Protection Commissioner [Link to the Judgement] that the US does not provide adequate protection for EU data and that US mass surveillance violates the essence of the fundamental right to privacy and a under the EU’s Charter of Fundamental Rights. In an unpublished draft decision of May 24th 2016 the Irish DPC followed the objections of the Complainant Mr Schrems in the procedure between Mr Schrems and Facebook Ireland Ltd. Mr Schrems claimed that Facebook USA continues to be subject to US mass surveillance laws, independent of the use of “model causes” or “Safe Harbor” and that his data continues to be subject to fundamental rights violations once it reaches the United States. Possible major fallout for US internet industry and “Privacy Shield” Just like Facebook, many international IT companies such as Google, Apple, Microsoft and alike are relying on “Model Clauses” after the invalidation of “Safe Harbor. If this case reaches the CJEU as intended by the Irish DPC, the questions raised would also impact the proposed EU-US “Privacy Shield” that was intended to replace “Safe Harbor”, as the factual and legal questions raised, are exactly the same as under the proposed “Privacy Shield” system. Quotes Schrems on the procedure: “I have received the draft decision by the Irish DPC yesterday night and we were informed that the DPC is intending to file the necessary proceedings with the Irish courts within the next days. We are right now reviewing the DPC’s draft decision and will engage in the procedure as a party. Further details are not clear yet, as the DPC did not provide us with the evidence, submissions or documents before it.” German: “Ich habe gestern Abend einen Entscheidungsentwurf von der Irischen Datenschutzbehörde bekommen, worin ich informiert wurde, dass die Behörde vor hat die nötigen Dokumente in den nächsten Tagen bei den irischen Gerichten einzubringen. Wir prüfen derzeit diesen Entscheidungsentwurf und werden natürlich am Verfahren teilnehmen. Weitere Details sind bisher nicht klar, weil uns die Behörde abermals keine Unterlagen aus dem Verfahren zur Verfügung gestellt hat. Schrems on Model Contracts: “This is a very serious issue for the US tech industry and EU-US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see now there could be a solution." German: “Das ist eine sehr problematische Situation für die US IT-Industrie und gewisse Teile der transatlantischen Datentransfers. Solange die weitreichenden US-Gesetze es erlauben, dass die Vereinigten Staaten diese Daten bei US-Unternehmen abgreifen, werden die betroffenen Datentransfers in die USA immer mit EU-Grundrechten kollidieren. Ich sehe keine Möglichkeit, dass der EuGH aus diesen Gründen erst das Safe Harbor-System killt und das gleiche Problem nicht auch bei Standardvertragsklauseln sieht. Alle Datenschutzexperten wussten, dass diese Verträge rechtlich fraglich sind, aber es war eben bisher die einfachste und schnellste Lösung. Solang die USA ihre Überwachungsgesetze aber nicht substanziell ändern, sehe ich aber keine Lösung des Problems.
© Copyright 2019 ExploreDoc