Ireland’s High Court on Tuesday ordered the Irish data protection agency to examine whether to suspend the transfer of Facebook users’ data from Europe to the United States.
The Data Protection Commissioner “is obliged now to investigate the complaint,” Judge Gerard Hogan said following a landmark ruling by the European Court of Justice earlier this month.
The case was initiated by Austrian activist Max Schrems, who claims techniques used by the US National Security Agency (NSA) — as revealed by whistleblower Edward Snowden — meant the privacy of his user data could not be guaranteed once it had been transferred across the Atlantic.
Law student Schrems had asked the Irish Data Protection Commissioner to investigate the protection afforded to the data transferred by Facebook, which has its European headquarters in Ireland.
In 2013, the then Irish data protection commissioner declined to investigate the complaint on grounds that EU authorities were satisfied the US had ensured sufficient data protection through the “Safe Harbour” agreement.
Signed in 2000, the pact was to take account of differing perceptions of data protection, allowing for the transfer of data if firms in the US adhered to rules similar to those imposed within the EU.
But the European Court of Justice ruled earlier this month that “Safe Harbour” was invalid, sending the case back to Ireland’s High Court.
Ireland’s Data Protection Commissioner Helen Dixon welcomed Tuesday’s ruling, saying in a statement: “My office will now proceed to investigate the substance of the complaint with all due diligence.”
– ‘A significant landmark’ –
In response, Facebook denied it was passing users’ data on to the authorities.
“Facebook is not and has never been part of any programme to give the US government direct access to our servers,” said a spokesman.
“We will respond to inquiries from the Irish Data Protection Commission (IDC) as they examine the protections for the transfer of personal data under applicable law.”
Online privacy campaigners called the ruling “a significant landmark”.
“There is now an unambiguous requirement to investigate on this sort of complaint,” said Simon McGarr, lawyer with Digital Rights Ireland.
“It is a significant landmark nationally, but also internationally, because… Ireland is the centre for so many of the technology companies that transfer these data,” he added.
Speaking at a technology conference in California, Facebook’s chief product officer Chris Cox conceded that Europe’s concerns about its citizens’ personal data presented challenges.
“It points us in the direction of being very clear about how we are operating and very clear about our intentions,” Cox said.
“For tech companies that is such an important refrain, so governments and policy makers can see you; meet you, and understand how you are operating, and not be afraid of you.”
In ruling the “Safe Harbour” agreement invalid, the European court said that “legislation permitting (US) public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”
The ruling also gave national data-protection authorities the power to decide whether existing safeguards were sufficient, clearing the way for Ireland’s domestic courts to rule on the issue.
Speaking after the hearing, Schrems said the “big question is going to be if the Irish DPC is going to do its job.
“Basically, the law is clear and the facts are rather clear as well so theoretically you could make a decision within weeks,” he told reporters.
“But I don’t think the DPC is going to go down that road, so very likely we will see a long and deep investigation and long debates with Facebook.”