Sunday, February 12, 2017

U.S. Data Privacy Regime Is Challenged in Europe, Again

The Irish High Court in Dublin is hearing a case about US privacy protections and surveillance policies. The case is a part of the saga in European courts over whether Europeans’ personal information is adequately protected when moved to the US by companies like Facebook and Google.

Here is how it all began.  In 2015, EU's highest court, the Court of Justice of the European Union (CJEU) invalidated a EU-US pact ("Safe Harbor")that allowed for easy data transfers from the EU into the US.  That's because EU law requires that companies exporting European citizens' personal data can only do that to countries providing a similar level of legal protection for that data. CJEU has ruled that US data protection procedures were on lower lever, particularly when it became known that Facebook was compelled to turn over large amounts of personal data under the NSA's mass surveillance program, PRISM.  That mass surveillance program operated under Section 702 of Foreign Intelligence Surveillance Act, which the government uses to put foreigners under surveillance. Tech giants like FB have made contributions to dozens of Congressmen who support revival of mass surveillance programs, restrictions on privacy, backdoors in encrypted programs.

So, after the CJEU invalidated the Safe Harbor, tech companies started using Standard contractual clauses (SCCs) for US-EU data transfers. Plaintiffs in the current court case in Dublin allege that the SCCs are still inadequate and fail to sufficiently protect the European users' privacy. If they win, it would make it more difficult for tech giants to handle Europeans' personal information. The court has allowed the US government to join the case, potentially giving the new administration an opportunity to express its position on surveillance laws.