Austrian privacy campaigner Max Schrems has threatened Ireland's Data Protection Commissioner (DPC) personally with criminal action should she fail to investigate fully - and swiftly - his complaint against Facebook.
In a revised complaint to the DPC, filed on Wednesday, Mr Schrems has called in data protection officers from Germany and Belgium to crack the whip on his four-year legal battle in Ireland against Facebook.
He has also stepped up his pressure on the Irish DPC, Helen Dixon, to act swiftly, warning of "personal criminal consequences" under common law should she "wilfully fail to perform" her duties.
Mr Schrems’s updated request asks data protection commissioners (DPC) in Ireland, Hamburg and Brussels to review Facebook’s transatlantic data transfers via the framework known as Safe Harbour.
That provision was struck down by the European Court of Justice (ECJ) on October 6th programme, after revelations by NSA whistleblower Edward Snowden that EU citizens' data was shared with US intelligence agencies.
Clarification
Following ECJ clarification on the matter, the High Court in Dublin ordered Ireland’s DPC to examine the Schrems complaint it had previously rejected and investigate whether Facebook shared data with US intelligence via the Prism programme - a charge Facebook rejects.
Four years after his first contact with the Irish DPC, Mr Schrems has now brought on onboard Belgian and German officials to pressure Irish officials to act sooner rather than later against Facebook.
“We want to ensure that this very crucial judgement is also enforced in practice when it comes to the US companies that are involved in US mass surveillance,” said Mr Schrems.
In his updated complaint, Mr Schrems tells the DPC that Facebook does not meet any conditions for having obtaining informed consent of its users for data transfer and was “obviously trapped” between EU privacy and US intelligence practices.
Challenge
Opening up the case to Belgium and Germany is a direct challenge to Facebook’s view that its international headquarters in Dublin leave it under the exclusive regulatory remit of the Irish DPC.
Recent European court rulings have undermined this position, however. In October, the ECJ found that a company can be held accountable by a a national data protection agency of any European country in which it operates a service.
The court upheld the supervisory claim of the Hungarian DPC over Weltimmo, a property advertising service with operations in Hungary but based in Slovakia.
A Belgian court ruled recently that, despite Facebook’s claims to the contrary, Belgian authorities have jurisdiction over the social network’s commercial activities in its territory.
Following the Weltimmo and Belgian cases, the Hamburg DPC Johannes Caspar is hoping for a similar ruling from a German court. Last July his office took legal action against Facebook, which has a local office in Hamburg, over its refusal to allow pseudonymous profiles in Germany.
Facebook case
Prof Caspar welcomed the invitation by Mr Schrems to join the Irish Facebook case, saying it would give a practical foretaste of Europe’s new data protection regime. Likely to be agreed by year-end, the new rules foresee greater co-operation between national bodies - and European oversight of national DPC decisions.
For his part, the Hamburg DPC said he looked forward to the exchange of information and documents with his Irish colleagues.
“This new situation means it is no longer just Irish law that can be used here, something we all have to accept,” said Prof Caspar, insisting he would place acting against Facebook or other companies above a “misunderstood idea of collegiality” with other European DPCs.
“Collegial relations are important but more important at the end is to protect our citizens from data abuse, and the ECJ has said we have competence here, too.”
The DPC in Portarlington declined to comment on the investigation