The Data Protection Commissioner is to challenge Facebook’s transfer of EU users’ data to the US at the European Court of Justice (CJEU).
The move follows an investigation by the commissioner to ascertain whether personal privacy is properly protected from US government surveillance on foot of the court’s decision to strike down the Safe Harbour scheme in October.
The Safe Harbour scheme was an agreement that allowed the free transfer of data between the EU and the US. It was rejected following a complaint to the CJEU by Austrian law student and privacy activist Max Schrems.
In a statement on Wednesday, the Data Protection Commissioner said it would “continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data” but added it was going to the High Court to seek a referral to the CJEU to contest the matter.
“We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under standard contractual clauses,” it said.
The Irish Times understands that, while the investigation is continuing, the commissioner has come to a preliminary view that Facebook's mechanism for transferring data is not satisfactory in terms of the redress facilities open to EU citizens.
In effect, the concern is that EU citizens would not be able to pursue an effective legal remedy in the event their rights were contravened by a US public authority.
Legal options
A spokeswoman for Facebook said the company has a number of legal ways to move data to the United States.
“Thousands of companies transfer data across borders to serve their customers and users,” she said.
“The question the Irish Data Protection Commissioner plans to raise with the court regarding standard contract clauses will be relevant to many companies operating in Europe.”
In a statement on Wednesday, Max Shrems said: “There is no way the CJEU can say that model contracts are valid if they killed Safe Harbour based on the existence of these US surveillance laws.”
Facebook, like many other tech companies, has its European headquarters in Dublin and is regulated by the Data Protection Commissioner.
Transfers of Europeans’ personal information to the United States have been a hot topic since 2013 revelations about mass US surveillance programmes such as Prism, which allowed US authorities to harvest private information directly from big tech companies such as Apple, Facebook and Google.
After the CJEU ruling in October, the EU Commission and the United States rushed to hash out a new data-sharing agreement, the Privacy Shield, which they are hoping to have up and running by the end of June.
(Additional reporting, Reuters)