To cap a tumultuous couple of weeks for Facebook, the Irish High Court yesterday referred a complaint about the firm’s transfer of European citizen’s personal data to the US for processing to European Court of Justice (ECJ) for a second time, in a decision that could have a big effect on the business model, and that of other US internet firms that depend on processing personal data.
The case against Facebook was originally brought by Austrian lawyer and privacy activist Max Schrems to the Irish Data Commissioner (DPC) in 2013. The complaints revolved around the way that data on European citizens could be accessed by the US security services, as revealed by Edward Snowden. It was referred by the DPC to the ECJ, which ultimately annulled the EU-US data sharing agreement Safe Harbour in 2015. It was replaced by the current Privacy Shield framework.
For tax purposes Facebook operates from its Dublin offices as Facebook Ireland Ltd. It transfers EU citizens’ data to Facebook Inc. in the US under a system called ‘model clauses’ or ‘standard contractual clauses’ (SCC). Facebook users in other counties also have their data processed by Facebook Ireland Ltd.
Model clauses are a standardised form of document that, once approved by the European Commission (EC), allow companies to transfer data without further reference to the authorities.
Privacy activists have long argued that they provide a convenient loophole for data processors to carry on with business as usual and that Privacy Shield is little better than the framework it replaced.
Facebook started using model clauses for transferring data to the US after Safe Harbour was abolished and has continued to do so ever since. However, the US authorities are still able to access users’ data for bulk processing.
Facebook had argued that the case was concerned with national security and therefore falls outside of European privacy and data protection laws, something rejected by the High Court.
Professing himself pleased with the decision, Schrems said he regrets that the case has taken five years to reach this stage. He said he believed the Irish DPC could have made the decision itself rather than resorting to the back and forth with the ECJ, but that he was hopeful that the Privacy Shield more widely would come under scrutiny.
“What is remarkable is that the High Court also included questions on the Privacy Shield, which has the potential for a full review of all EU-US data transfer instruments in this case,” he said in a statement.
Given that the High Court had found that the US is able to undertake mass processing on citizens data, Schrems said the ECJ must now be bound by that finding.
“Given the case law, the question, in this case, does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-US data transfers and which approach they will take to remedy the conflict of EU privacy protections and US surveillance.”
Schrems has argued that a targeted solution which would only affect data companies and not other sectors should be possible under existing legislation.
“We hope that the Court of Justice will adapt our approach, which is a targeted suspension of data transfers if a company falls under US mass surveillance laws,” he said.
Any ruling by the ECJ is likely to take about 18 months.
Schrems recently set up a non-profit organisation to help people sue tech firms for privacy breaches under the GDPR.
Save this article