Developments in Data Privacy Case lawThis summer has seen significant developments on both sides of the Atlantic in legal cases concerning international data privacy law.

In July, judgment in Microsoft’s appeal against the US Department of Justice was handed down by a court in New York. July also saw the ongoing actions involving the Irish Data Protection Commissioner, Max Schrems and Facebook back before the High Court in Dublin. We examine some key legal observations arising from these decisions.

Amicus Curiae

At the outset it is worth noticing that, aside from the fact that both cases address significant multi-jurisdictional issues of privacy law, a common feature of the cases is that both cases involved national governments intervening in non-domestic proceedings by filing amicus curiae briefs with the relevant Courts.

Amicus curiae literally translates to “friend of the court”.  By way of this process, interested parties can submit briefs to assist the Court in grasping the broader implications of judgments beyond those directly impacting the litigants. Generally, admission as an amicus requires a party to demonstrate a genuine, legitimate interest in the issues raised.

Amicus curiae applications are relatively uncommon in Ireland and interventions by national governments in this manner are especially rare. That two national governments have become involved in data privacy litigation in another jurisdiction in quick succession by way of amicus curiae demonstrates the seriousness of data privacy issues from their perspective.

Microsoft case

The Microsoft appeal concerned emails stored on a server in Dublin. A New York district court judge had issued a warrant for disclosure of the emails for the purposes of an investigation in the US. Microsoft refused to comply with the warrant, arguing that the data was held outside of the jurisdiction and was therefore outside of the NY Court’s remit.

The Irish Government filed a brief with the US Court of Appeal in support of Microsoft’s position. The brief emphasised Irish sovereignty and pointed out that there were international treaties for obtaining evidence from abroad. On 14 July 2016, the New York Court handed down its decision, siding with Microsoft. In finding for the company, the Court decided that US warrants are limited in scope to US territory. Irish sovereignty had to be respected, and proper channels must be used to obtain cross-border evidence. The result, coming as it does shortly after the adoption of the EU-US Privacy Shield, which was adopted on 12 July 2016, is a positive development in light of the concerns about excessive US surveillance of personal data previously expressed in the Schrems case last October.

Schrems case

The latest judicial ruling in the Schrems case follows the original complaint by Max Schrems to the Irish Data Protection Commissioner, which resulted in the invalidation of the Safe Harbour regime (which had allowed for flows of personal data from the EU to the US) by the Court of Justice of the European Union (“CJEU”) in October 2015. The current iteration of the case before the High Court concerns the validity of transfers of personal data to the US on the basis of “standard contractual clauses”.  A core issue is whether the standard contractual clauses can offer adequate protection for personal data against a backdrop of broad US surveillance programmes, with the Irish Data Protection Commissioner seeking a referral to the CJEU for a determination on the point.

On 19 July 2016, in the High Court in Dublin, Judge Brian McGovern granted an application by the US Government to be joined to the Schrems case as an amicus curiae.  Judge McGovern said he was satisfied that the US had a “significant and bona fide interest” in the outcome of the case. He noted that US surveillance law is a substantial issue, and the judgment will significantly affect US businesses. He also granted requests by EPIC (a US privacy watchdog), the Business Software Alliance, and Digital Europe to be included as amicii curiae. He refused requests to join from the Irish Business and Employers Confederation, IHREC, American and Irish Civil Liberties organizations, the EFF, and privacy activist Kevin Cahill. The hearing of the substantive action has been listed to commence on 7 February 2017.

Further comment

The amicus applications reflect the growing importance to both business and governments on both sides of the Atlantic of data transfers and exchange, and hence of data regulation.  There are real risks to businesses in both Europe and the US if such flows cannot continue.  The Business Software Alliance estimates a negative judgment in the latest Schrems case could cost the EU €143 billion per year – 1% of its total GDP.

As such, governments are understandably wary about leaving the fight solely to litigants.  This goes beyond political posturing – the first Schrems case was a significant challenge for international data controllers, who instead were reliant to a significant degree on the standard contractual clauses to facilitate transfers to the US.  That said, the decision in Schrems has led to significant written undertakings and movement from the US in relation to rights of redress and restrictions on surveillance, as reflected in the EU-US Privacy Shield.  It is hoped that in light of those developments, and the amicus standing of the US in the case, the CJEU will be in a position to make a determination in the current proceedings which will permit the continued use of standard contractual clauses, with a consequent boost to the US-EU Privacy Shield.

By Carina Lawlor of Matheson.