Is our right to privacy obsolete?

Hogan J has issued a landmark judgment in the case of Schrems v Data Protection Commissioner [2014] IEHC 310.

Data Protection law is a contentious topic.  Balancing the right of an individual to a private life against the necessity to protect against threats to national and international security has provided a massive amount of debate in a time where social media plays a pivotal role in our society.

The argument
The applicant, Maximillian Schrems, a data-protection campaigner, has used the Snowden disclosures as the catalyst for his claim.  He alleges that the Snowden findings demonstrate that there is no effective data protection regime in the United States. The applicant claimed that the Data Protection Commissioner should exercise his statutory powers to direct that the transfer of personal data from Facebook Ireland to its parent company in the United States should cease.

Safe Harbour Regime
A European Commission arrangement was reached in 2000 set up a regime known as the Safe Harbour Regime.  The Commission determined that the United States does provide adequate data protection controls and therefore allows the transfer of personal data from Europe to the United States.  It is clear from the Safe Harbour arrangement that a certain level of protection must be demonstrated to comply with the decision.  A company may self-certify that they comply with the Safe Harbour principles.  Facebook Ireland has self-certified their compliance with the Safe Harbour arrangement.  On this basis the Data Protection Commissioner did not investigate the applicant’s complaint and the applicant sought to judicially review the Data Protection Commissioner’s decision.

It has been alleged that the National Security Authority (“NSA”) in the United States collects personal data from major internet providers such as Microsoft, Google and Facebook under the PRISM programme.  The activities of the NSA are governed by a court established under Foreign Intelligence Surveillance Act (“the FISA Court”).  The FISA Court is conducted in an ex parte manner, as the US security authorities are the only parties who can be heard in respect of applications to the FISA Court and its findings are not published.  Personal data transferred by companies such as Facebook Ireland to its parent company in the United States is capable of being accessed by the NSA.  Hogan J states that this casts “… a shadow over the extent to which non-US data subjects enjoy effective data protection rights”.

Constitutional rights to privacy inviolability of the home
Under Irish law each person has a constitutional right to privacy.  Indeed the preamble of the Constitution protects the “dignity and freedom of the individual”.  Hogan J has suggested in his judgment that the accessing of private communications generated in the home — whether it be phone calls, internet use or private e-mails — also directly engages the inviolability of the family home, as guaranteed by Article 40.5 of the Constitution.  The inviolability of the dwelling home is echoed in German law.  A recent German case found that legislation providing for the interception and surveillance of communications was a disproportionate interference without adequate safeguards with the guarantee for the inviolability of the dwelling home.

The decision
Hogan J has suggested that this applies equally in Ireland.  He goes so far as to say “The potential for abuse… would be enormous and might even give rise to the possibility that no facet of private or domestic life within the home would be immune from potential State scrutiny and observation”.  Hogan J, in a powerfully written judgment, states that the mass and undifferentiated accessing by State authorities of personal data has “gloomy echoes of the mass state surveillance programmes conducted in totalitarian states…”

European law parallels the position under Irish law.  These fundamental protections are contained in Article 7 and Article 8 of the EU Charter of Fundamental Rights which protects private and family life and personal data respectively.

This matter is regulated by EU law and so the Court of Justice of the European Union has the ultimate role in determining the matter.  Hogan J has referred the question to the Court of Justice of the European Union as to whether the Data Protection Commissioner is bound by the determination of the European Commission  14 years ago, in relation to the adequacy of data protection in the law and practice of the United States.  Hogan J questions whether this regime is out-dated and reflects “a more innocent age in terms of data protection”.

Future implications
The potential implications of this decision cannot be underestimated.  If the Court of Justice of the European Union agrees with Hogan J and determines that the Safe Harbour regime is no longer adequate, US companies based in Ireland will face enourmous legal and logistical challenges.  While such a decision would be welcomed in terms of protecting our rights enshrined in our Constitution, it may act as a deterrent to US companies basing themselves in Ireland.

Hogan J has extended our fundamental right to the inviolability of the dwelling home to include our use of computers and telephones.  It is suggested that this protects any personal data that is generated in the family home.  .  Hogan J states that any interference with our basic Constitution rights must be objectively justified.  His  vigorous interpretation of these provisions of our Constitution will be carefully studied and considered as to whether his views on the  Constitution could be applied in other areas of the law.

The case before the Court of Justice of the European Union will take some time to be heard and determined.  Hogan J’s decision casts significant doubt over the legality of the Safe Harbour arrangement which will not be resolved until the decision of the Court of Justice of the European Union is available..

For further information, please contact Elaine McGrath on emcgrath@reddycharlton.ie.