Just weeks after the Irish High Court heard arguments from select parties in a case that could affect the future of private transatlantic data flows, Irish Data Protection Commissioner Helen Dixon shared her thoughts about the case and the questions the court must consider.
"These hearings were positive," she said during a panel session at the IAPP Global Privacy Summit in Washington. "It was an extremely comprehensive hearing on complex issues. This wasn't a case where the judge will rush to judgement."
At the heart of the case is the future viability of Standard Contractual Clauses, a private means of securing legal transfer of personal data out of the EU to the U.S. Dixon wants the case referred to the Court of Justice of the EU to determine whether such contracts are essentially equivalent, given concerns about U.S. government access to EU citizens' data, particularly after the Snowden revelations in 2013.
She said the expert witnesses in the case, who included fellow Summit panelist Peter Swire, CIPP/US, agreed about many of the facts in the case. "What they differed on," she explained, "was the emphasis placed on and significance of those facts."
For example, the issue of whether EU citizens have legal standing in the U.S. was of concern. There was agreement, she said, about elements of standing — buoyed by the Spokeo case in the U.S., for instance — but they differed on whether all the facts amounted to a general obstacle for citizens or if that was overstated.
The High Court, Dixon emphasized, must decide where that emphasis — on all questions in the case — resides in the coming weeks. As such, she shared a robust list of those nuanced questions, which included what appropriate test should be applied to the adequacy of SCCs.
Swire, who testified in the February and March High Court hearings on behalf of Facebook, highlighted some of his testimony defending adequate U.S. government oversight mechanisms. "U.S. protections are substantially stronger than those existing in EU nations," he said, "and meet the equivalence standard." He cited several oversight mechanisms in place, including FISA court oversight and Section 702, the Privacy and Civil Liberties Oversight Board, congressional intelligence committees, and a series of executive orders including PPD-28.
The European Commission's Bruno Gencarelli would not comment on the High Court case as it is still pending, but also questioned what test should be applied to SCCs. Though "cautiously optimistic," he also called the EU-U.S. Privacy Shield "a success" so far. Yet, he also stressed the importance of the annual review coming this September.
Addressing concerns about the future viability of Shield, Swire outlined some easy points the Trump administration could score moving forward. Trump could appoint new members to the PCLOB and the FTC, while maintaining the executives orders in place as well as PPD-28.
Of more concern, however, is Section 702, which is up for renewal at the end of the year amidst political turmoil around allegations the Obama administration used 702 to "spy" on then-presidential candidate Trump. Swire conceded that 702 has a steep hill to climb, especially since the Trump administration has thus far had difficulty getting reforms through Congress.
It's too early to tell what the Irish High Court will decide, just as it is early to speculate on the potential outcome of the annual review of Shield in September. Regardless, these will both be issues to follow closely in the coming months.
If you want to comment on this post, you need to login.