Earlier this month, the European Court of Justice declared for a second time that the data privacy agreement between Europe and the United States is invalid, and does not sufficiently protect the data of European citizens.
The case, which started seven years ago and which has been both long-running and complex, will have serious consequences, most notably for any companies looking to export data from the EU to the US, but also for Brexit, foreign direct investment and foreign trade in Ireland.
Put simply, it is unclear at this point if there is any way to safely and legally transfer data from the EU to the US.
The main takeaway from the case is that the EU-US Privacy Shield had the same flaws as the defunct Safe Harbour agreement, was not adequate in terms of European standards for data protection, and could not be used to allow data transfer.
While the court did not directly strike down the system of standard contractual clauses (SCCs) also used to facilitate data transfer, it made clear that they are only valid where controls in place in the third-party country meet the same adequacy standard. Each contract, it said, must be assessed to show its meets that standard.
The same concerns that sank Safe Harbour and the Privacy Shield will sink, one by one, each and every SCC. The Data Protection Commission (DPC) has described them as “questionable”, and they cannot be relied on to allow safe and legal data export.
The plaintiff in the case, Austrian privacy campaigner Max Schrems, who took a legal case against Facebook through the Irish courts, has published an open letter to the Irish Data Protection Commissioner Helen Dixon asking when she will act on his original complaint.
While we need urgent action from the commissioner to protect the fundamental rights of European citizens in terms of safeguarding their own data and privacy, the question has to be asked whether she is even in a position to be able to act.
Much has been written internationally about our DPC and the importance of its work. Indeed, other data protection authorities around Europe have called us not only the single most important DPC in all of Europe, given the number of tech firms based here, but also the roadblock to meaningful enforcement of the EU‘s general data protection regulatin (GDPR).
I have spoken in the Dáil on several occasions about how Dixon does not have the resources to keep pace with the complexity and volume of her workload, which is about to increase significantly as a result of this ruling.
Though the budget for the DPC has increased, it is only one third of what was requested by the commissioner to do the job she needs to do. Additionally, a report by Brave, a privacy-focused browser company, found that there are 21 tech specialists working in the commission. That is not nearly enough to hold Big Tech to account.
While the commission is an independent national authority, its work cannot be entirely independent of the government. After all, it is the government that provides its budget and so ensures (or not) if it has adequate staff and resources to carry out its work – work which has just become significantly more complicated.
Moving forward, it is vital that we ensure that the DPC is adequately funded and is provided with the staff and resources to act and deal with the seriousness and complexity of the work it is required to do, now more so than ever. We also need to look very seriously at the consequences of the most recent ruling.
There can be no flexibility or half-hearted measures when enabling the DPC to protect the data of EU citizens.
Patrick Costello is a Green Party TD