,
91 tweets,
18 min read
Read on Twitter
Irish data protection authority: U.S. law doesn't provide remedy for unlawful processing of personal data. There is no way of knowing when or by whom personal data has been accessed.
Irish data protection authority: U.S. legal regime doesn’t legal remedies such as access, erasure or rectification of the data. The Ombudsperson mechanism is not enough to make up for these "deficiencies."
Reminder: The Ombudsperson mechanism is also used for the #PrivacyShield.
Irish data protection authority: The High Court has found that surveillance in the U.S. is legal, unless forbidden.
Irish data protection authority: The failure of the standard contractual clauses #SCC to compensate for the lack of effective judicial review in the third country renders them invalid.
Now it's Facebook's turn to talk.
"Facebook welcomes the global lead of the EU and the Court on data protection." (lol)
Facebook: The GDPR is a balance that recognizes that trade must continue but also that other countries need to ensure a level of data protection. #EUdataP
Facebook praises the Court's decision on Schrems I (lol bis). Schrems I: The invalidation of Safe Harbor, the predecessor of #PrivacyShield.
Facebook: The level of request [by government agencies] is very small compared to the data Facebook has, and Facebook carefully scrutinizes those requests for legal validity. #EUdataP
Facebook: The effect of an invalidation of data transfer on trade would be immense and would have WTO implications for the EU. #EUdataP
Facebook: There is no evidence that Facebook’s transfers are under any particular risks. #EUdataP
Facebook: Setting requirements for U.S. law would go beyond what the EU can do. #EUdataP
Facebook: The Charter of Fundamental Rights doesn’t extend beyond the field of EU law.
Facebook: Standard contractual clauses are a fundamental way of continuing trade until the rest of the world can be brought to the EU level in terms of data protection. #EUdataP
Facebook: The GDPR recognizes that we should strive to protection but getting there is a process. In the meantime we should deal with practicalities.
Now it's Max Schrems' lawyer.
Schrems lawyer: When data is transferred by Facebook to the U.S., the protection is weakened by U.S. law. That is true with any transfer mechanisms, including the #PrivacyShield. It’s systematic.
Schrems lawyer: The solution is not for the Court to invalidate standard contractual clauses but for the @DPCIreland to enforce them.
Schrems lawyer takes the opportunity to say that "the #PrivacyShield decision is invalid."
Schrems lawyer: Access to personal data on a generalized basis should be seen as compromising the essence of the fundamental right for respect of private life.
Schrems lawyer: The U.S. government surveillance activities go way beyond national security, for example espionage of foreign countries which can include the EU.
Schrems lawyer: Surveillance has a chilling effect on other rights, such as freedom of expression. #EUdataP
Schrems lawyer: This Court (CJEU) should also find that #PrivacyShield is invalid. #EUdataP
Schrems over, now the U.S.
Ugh, I meant *SYSTEMIC*.
US government: The U.S. commits to high level of privacy and data protection. For over 40 years, the U.S. has demonstrated its commitments. (lol #3) #EUdataP
US government: The U.S. surveillance regime contains clearer rules [on data collection] than the ones of most EU member states.
US government: The validity of standard contractual clauses must be upheld.
US government: The GDPR doesn’t give the EU the mandate to "conduct a worldwide enquiry" of surveillance regimes across the world.
US government: The Ombudsperson addresses the difficulties and provides effective administrative redress. #EUdataP
US government: The case seems to be based on a fallacy, as the Data Protection Commissioner seems to forget that the EU data protection regime exempts national security processing.
US government's intervention is over, now it's the Electronic Privacy Information Centre.
The hearing is now interrupted (and I'm getting a diet Coke from the cafeteria)
Ok the hearing is back on, with an intervention of tech lobby Business Software Alliance (Apple, IBM, Microsoft etc). Worth noting it does not represent Facebook.
BSA: We ask the Court to uphold standard contractual clauses. #EUdataP
BSA: Standard contractual clauses are an essential part of day to day operations of companies in Europe. #EUdataP
BSA: Standard contractual clauses are so widely used that invalidating them would be very disruptive. The impact would be far greater than the Court's decision to invalidate the Safe Harbor.
BSA: BSA challenged data requests from the US government all the way to the Supreme Court. (Reference to Microsoft here)
BSA: We agree with Mr. Schrems, the supervisory authority -- ie Ireland's data protection authority -- plays an important role in standard contractual clauses.
BSA is done, now it's DigitalEurope.
DigitalEurope is over, Ireland is speaking now.
Ireland: Standard contractual clauses are not incompatible with GDPR nor with the Charter of Fundamental rights. #EUdataP
Ireland: The Court should confine its examination to #SCCs (subtext: And leave #PrivacyShield alone).
Ireland: #SCCs will likely become increasingly important in the context of a no-deal Brexit.
Ireland: The @DPCIreland has the necessary power to suspend or prohibit [#SCCs used by Facebook to transfer data to the US]. We acknowledge the difficulty of the task, but it should not mean all #SCCs should be deemed invalid.
Now Germany: "We fully agree with Ireland's comments."
Germany: In the field of intelligence gathering, EU law doesn’t apply. #EUdataP
Germany: Since EU law is not applicable to member states' intelligence agencies, it can’t be applied to foreign country’s intelligence agencies. #EUdataP (I must confess I don't 100% understand the argument)
Ok now France.
France "fully endorses" the Irish comments.
France's representative speaks a lot, it's very complicated and not-at-all straight to the point. But she says "supervisory authority" a lot.
The French lady is still talking (also, I'm allowed to say that because I'm French.)
And now, the Netherlands.
Netherlands: We endorse the comments of our Irish colleagues.
Netherlands: The situation in third countries is only relevant to assess whether a given transfer is allowed. That decision lies with the supervisory authority (read: @DPCIreland) and has nothing to do with the Commission or #SCCs in general.
Netherlands: Our position is that #SCCs meet the requirements of the Charter of Fundamental rights. Transfer of data to third countries may proceed under the SCCs.
Now Austria.
Austria: The government is not going to take a position here on the validity of the #PrivacyShield decision.
Austria: The #SCCs do not provide an adequate guarantee in all situations. Legal certainty should not be developed at the expense of fundamental rights.
Now the UK.
UK: Won't comment on the content of the laws of the U.S.
UK: The Commission cannot be asked to assess the ability of public authority to access data in every third country where data transfers are made. #EUdataP
UK: It is for each supervisory authority to consider and examine concerns in particular situation, not to the Commission. The supervisory authority must act as a backstop (yes, the UK just used the B word in an Irish context).
The hearing is interrupted [for a well-deserved lunch break] and will resume at 2.30 pm. The European Commission and the European Data Protection Board are expected to talk. #EUdataP
Aaaaaand we're back on.
The European Parliament will now speak.
European Parliament: The arguments put forward by Facebook that the case put forward in Ireland is a matter of national security cannot be accepted.
European Parliament: The transfers of personal data are made for purely commercial purposes. Thus the original purpose for transfers is commercial, and EU law applies.
European Parliament: We consider that the validity of the GDPR [and #SCCs] cannot be at stake.
Now the European Commission.
European Commission: The U.S. law is not the real issue here, it's not relevant in that case. What it's about is who is responsible for what. What's the responsibility of the @DPCIreland, national courts, the Commission... #EUdataP
European Commission: In the absence of adequacy decision, the data controller is responsible for ensuring that safeguards are in place, including when data are transferred outside the EU.
[This hearing increasingly looks like the "defendant" is the @DPCIreland and not Facebook]
European Commission: The only thing that the DPC asked the High Court is to decide on the validity of the SCCs. We have a very special procedure here.
I think it's fair to say the European Commission is annoyed by the @DPCIreland.
European Commission: The review of the safeguards in the area of national security should be limited to assessing whether the essence of the Charter is respected. #EUdataP
European Commission: Surveillance activities of third countries during the state of transit do not fall under adequacy decision. The #PrivacyShield is exceptional in that matter, due to the Snowden revelations.
European Commission: The legal status of PPD-28 should not be underestimated. It is binding on the U.S. administration. #PrivacyShield
European Commission: The Ombudsperson adds another layer on independent redress, oversight mechanisms. #PrivacyShield
And now the @EU_EDPB.
The @EU_EDPB is the last speaker. The hearing started 6 hours ago.
The @EU_EDPB: It is up to supervisor authorities (ie @DPCIreland in this case_ to assess, based on a complaint, whether data are protected under #SCCs. If not, they may suspend transfers.
The @EU_EDPB: We welcome the establishment of the Ombudsperson mechanism. At the same time, we also express concerns as to the effective judicial redress.
The @EU_EDPB: The EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to remedy non compliance. #PrivacyShield
It's now time for questions from the judge, first to the Commission and the EDPB.
Judge explains that this case and the #PrivacyShield case are linked. "Can you rely on SSCs when there is an adequacy decision?"
Commission: The #PrivacyShield is a specific adequacy decision because it doesn't say that the U.S. offers a similar level of protection.
(Questions are still ongoing but I will have to leave for the train station soon otherwise I'll be stuck in Luxembourg for ever. Bye!)
