Facebook has become less trendy in recent years, as more parents send friend requests to their children, and competing social networks increasingly hold more appeal. However, it is still used by a billion people worldwide, with about 185 million users in the EU. But could all those Facebook users in the EU lose their access in the near future, following a recent decision of the High Court?
The so-called "Europe v Facebook" case concerns a complaint by an Austrian Facebook user Max Schrems, who was concerned about the transfer of his personal data as a Facebook user to the United States. He brought his complaint to the Irish data protection authority, which was presumed to be competent in this matter because Facebook has a subsidiary in Ireland.
That national data protection authority supervises the EU rules on the processing of personal data, such as the data shared on social networks, which are set out in the EU’s Data Protection Directive. This Directive has special rules restricting the transfers of personal data outside the EU, where lower standards of data protection are usually applicable.
However, there are various way to justify such "external" transfers. Many transfers to the United States are governed by a European Commission Decision, which states that in principle all American companies certifying their participation in a system (known as the "Safe Harbour" system) for complying with basic data protection principles maintain an "adequate" level of data protection. Facebook is one of the companies concerned.
The problem is that many doubt the American companies' assertions that they maintain an adequate level of data protection. In particular, revelations by Edward Snowden suggest that Facebook is required by American law to hand over the personal data of all its users to the US National Security Agency (NSA).
How did this case reach the High Court? While the Commission’s “Safe Harbour” decision states that national data protection authorities can suspend transfers to the United States if they have very serious doubts about the standards being upheld in practice, this is subject to each EU member state’s decision to give its national authority such powers. Ireland chose not to give its data protection authority such powers, perhaps thinking that this might attract American subsidiaries to Ireland. So the Irish authority felt it had no choice to refuse Mr Schrems’ complaint.
Mr Schrems therefore sued the data protection authority before the High Court, which decided to halt proceedings and send questions to the Court of Justice of the European Union (CJEU).
Mr Justice Gerard Hogan has asked the Court of Justice to clarify whether the national data protection authority does have the power to block transfers to the US under the Safe Harbour rules, even though Irish law prevents this from taking place.
The underlying argument here is that the Irish law is preventing Mr Schrems from the protection of his right to privacy. Indeed, Mr Justice Hogan assumed that the American system would violate the privacy standards of both the EU and the Irish constitution, comparing that system to surveillance in Communist East Germany.
If the argument is successful, it could have very broad implications. Logically, it would mean that transfers of personal data from the EU to Facebook would have to be stopped. So would transfers to other American organisations that are required to hand over data to the NSA. This may well include many other social networks, along with other companies.
Is there a way around this drastic outcome? First of all, Facebook could find some way not to transfer the data of EU users to the US. But this may not be financially viable or technically feasible. Certainly, transfers could not be avoided where European Facebook users have friends in America. And the US might insist that Facebook still has to hand over the data. Other American companies might also be in the same boat.
Any real prospect that Facebook transfers from the EU might be blocked would cause a major earthquake in EU/US relations, making the concerns about the recent Google Spain judgment (which applied the EU's privacy and data protection rules to search results) look like a minor tremor. So the better outcome would be for the US, which has been negotiating on data protection issues with the EU for several years, to amend its law to improve the standards applicable to data protection.
For a long time, this looked like an implausible prospect. But in the last week, after the Europe v Facebook decision was announced, the Obama administration stated that it would propose to extend the protections of the US Privacy Act to EU citizens. It remains to be seen, however, whether such changes would be good enough to be considered “adequate” from the point of view of the EU.
Steve Peers is professor of law at the University of Essex. For further comments on the Europe v Facebook case, see http://iti.ms/VbzG83