An anniversary post (of sorts)

A little under a year ago I wrote two posts on this blog regarding the Irish DPC, Facebook, and Safe Harbor.

The blog posts in question are here and here

Those posts were written under less than ideal conditions; sitting at train stations or in cramped train carriages, eyes streaming with hayfever (or perhaps I was weeping for the death of privacy.. sometimes it’s hard to tell),  typing furiously on an iphone, with limited access to internet, so were rattled off essentially off the top of my head at the time based solely on the information that was in the public domain.

The gist of what I wrote in those posts was as follows:

  1. The Data Protection Commissioner’s Office has to enforce the law that is in front of them.
  2. The law that is in front of them says that transfers to Facebook are OK under Safe Harbor
  3. To conduct an investigation would mean the DPC would have to challenge a decision of the European Commission (specifically the Safe Harbor decision).
  4. That was probably the reason why other Data Protection Authorities, while complaining about Facebook, PRISM, and Safe Harbor hadn’t actually done anything to suspend transfers, because they too were not able to directly challenge a decision of the European Commission.

In June we received the judgement of Hogan J. in Schrems vs DPC. This case was initiated as a judicial review of the decision of the DPC not to launch a full blown investigation in to Safe Harbor and Facebook.

In that judgement, Hogan J. held that:

  1. The DPC had correctly interpreted and enforced the law that was in front of them. Transfers from Facebook Ireland to Facebook US were permitted as a result of Safe Harbor.
  2. A question needed to go to the ECJ as to whether the DPC could actually ignore or look beyond the Commission Decision on Safe Harbor when looking at whether processing was lawful. (In essence this is a question that is asking the ECJ to rule on Safe Harbor in light of the changes in EU Data Protection law since it was implemented a decade and a half ago. Since then Data Privacy has become clearly recognised as a fundamental right and the Digital Rights Ireland case has clarified the need for proportionality in data processing, particularly on-line surveillance).

And with that he sent a question to the European Court of Justice that potentially will have echoes as profound as Gavrilo Princip’s revolver shot on a side street in Sarajevo a century ago.

It was particularly heartening to me to read paragraphs 80 and 81 of Hogan J.’s judgement when it came out. In those paragraphs he basically says exactly what I said a year ago: the EU Commission had decided that Safe Harbor was an appropriate mechanism for cross border data transfer and the DPC was tied t the findings of the Commission under the Irish Data Protection Acts and the underlying Directive. That’s pretty much what I said in this blog post.

I am loathe to engage in precognition on the ECJ case that we are presented with now. However, I will venture the following for now:

  1. This is no longer a case about an Austrian law postgrad taking on an administrative functionary in on the western spiral arm of the EU.
  2. This has become a case about information flows and fundamental rights (thanks in no small part by some deft adjudication by Hogan J).
  3. This has become a question of information society (the ethics, rights, rules, and benefits of information processing) versus information economy (individuals as units of production, and surveillance of the drones by Big Brother). It will have a profound impact no matter what the outcome.
  4. While Max Schrems has taken his case against the Irish Data Protection Commissioner, ultimately it is the Safe Harbor mechanism that is on trial now at the ECJ.
  5. If Safe Harbor is found to be not fit for purpose as a result of the disproportionate threats to data privacy rights of EU citizens, we will move into a very interesting era. If it turns out that national Data Protection Authorities can second guess decisions of the EU Commission when the surrounding laws or social environment changes, that will have ripples out far beyond the world of Data Protection law and practice.

The role of Digital Rights Ireland as amicus curae in this case is to be welcomed. They add no baggage to the wagon train, but having been to the ECJ already on a data protection issue they are familiar with the winding trail ahead.

It is to be hoped that politicians and functionaries in the civil services of Member States and the Commission, as well as the media and the general public, wake up to the issues here and start paying attention. In the absence of a global drive to establish functioning and balanced frameworks for effective cross border data transfer we may find ourselves with exactly the same problems that gave rise over three decades ago to the need for the OECD Guidelines , and in turn Council of Europe Convention 108 and the entire framework of EU Data Protection laws in the first place.

Interesting times indeed.