Europe v Facebook has issued a press release today decrying the failure of the Irish DPC to find fault with the reliance on Safe Harbor by US technology companies in the transfer of personal data of EU citizens to the US where it fell into the net of PRISM.
The soundbite friendly position evf is taking is that the Irish DPC is kowtowing to economic interests in not pulling the plug on Safe Harbour as German DPAs have done.
However I would suggest that the position is slightly more nuanced than that. The key test that needs to be met for the national security/law enforcement exemptions to Safe Harbour is one of necessity and proportionality of the invasion of privacy set against the national security/law enforcement requirement.
The EU currently has a Data Retention Directive. It is law in most EU member states, but is currently subject to an action in the Irish High Court which has referred questions to the ECJ, which ultimately rest on issues of necessity (I.e is it necessary to retain the metadata of every call, web access, email, sms sent over a comms provider in the EU, and if it is necessary is it proportional to do so for EVERYONE compared to the actual risk/objective).
This ECJ action is referred to explicitly by the DPC in their response to evf.
In the absence of a ruling in that case or a decision by the EU commission that PRISM constitutes an unnecessary and disproportionate intrusion under Safe Harbour the DPC is acting in line, in my view, with the law that is in front of him.
But the Germans have pulled the plug I hear you cry! Yes. They have – to a point. But the German Constitutional Court has also struck down their national implementation of the EU Communications Retention Directive. So the law in Germany is slightly but significantly different.
But this awkward disjointment of laws highlights the need for improved standardisation of Data Protection laws in Europe and an improved collegiate operating structure for DPAs. This is part of what the revised General Regulation on Data Protection was to deliver.
It also highlights the questionable justification for double standards for law enforcement as illustrated by the existence of the parallel revisedDirective on Data Protection for EU law enforcement agencies which differs from the draft Regulation.
As a childhood (and adult) fan of the classic TV show “Yes, Minister” I’m minded to give the DPC some benefit of the doubt in their position as it would be preferable for there to be an EU bloc position on Safe Harbor rather than piecemeal action. That requires either EU Commission termination of Safe Harbor due to its abuse on grounds of inappropriate and unnecessary intrusion, or a ruling from the ECJ that defines those rules in an EU context in regard of our own data sucking activities.
After a little digging, it turns out that the position of the German DPAs doesn’t differ all that much from the Irish position. They actually haven’t suspended Safe Harbor, just called on the European Commission to clarify how Prism etc is compatible with EU privacy principles.
What is suspended are transfers based on any other basis other than model contract terms or Safe Harbor.
So, in effect, the German DPAs have kicked the ball back to the European Commission in a manner similar to the Irish DPC, but have forgotten to mention the significant ECJ hearing as well.
That is not to say that I am thrilled with how it has been handled. The DPC should have issued a formal decision on this setting out their position so that evf could appeal against it in Court. That would be an interesting case to see and I suspect many of the arguments that would need to be put forward have already been drafted in respect of Digital Right Ireland’s High Court and ECJ actions.
Of course, I don’t rule out the possibility of an overworked under resourced Data Protection authority making an error in their assessment of the legal position. And, unfortunately given the dischordant “tone at the top” from Alan Shatter on matters Data Protection the political landscape Billy Hawkes must navigate is challenging.
This will get very interesting I suspect.
(And I’ve left the question of whether the Irish DPC even has the powers under the domestic legislation to do what evf are requesting for another day)