The Irish High Court has dismissed a legal challenge by Facebook against a draft decision by Ireland’s Data Protection Commissioner (DPC) to suspend Facebook Ireland’s transfer of data about European residents to the US.
Justice David Barniville ruled last week that Facebook Ireland had not established any basis for “impugning” the Data Protection Commissioner’s draft decision to suspend Facebook’s data transfers as part of an inquiry.
The decision is the latest in a long-running legal battle between Austrian lawyer Max Schrems and Facebook over the lawfulness of the social media company’s data transfers between Europe and the US.
At issue is whether data transfers to the US breach EU privacy laws by subjecting the data of European citizens to US mass surveillance programmes without offering them adequate legal redress.
Schrems, who has accused both Facebook and the DPC of delaying tactics, said that after years of legal action, the DPC would now be required to stop Facebook’s data transfers.
“Facebook lost on every ground,” he said. “After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, likely before summer.”
The 127-page High Court judgment, published on 14 May 2021, rejected allegations from Facebook that the DPC had breached its duty of candour in the way it defended the proceedings brought by Facebook.
The judge also found that the claims made by the DPC – withdrawn during the hearing – that the proceedings brought by Facebook were an abuse of process had no basis and should have been withdrawn at an earlier stage.
A separate action brought by Schrems against the DPC which aimed to halt the DPC’s inquiry into Facebook for different reasons was settled just before it was due to be heard in court on 13 January 2021.
Schrems first brought a complaint against Facebook in 2013, following the Snowden revelations that the US was engaged in the mass surveillance of email, phone and internet data.
The lawyer challenged the lawfulness of Facebook’s transfer of data on EU citizens to the US under EU data protection law.
Privacy Shield
The case led to the European Court of Justice (CJEU) declaring the Safe Harbour agreement, which was used as a legal mechanism to transfer data between the EU and the US, invalid in September 2014, in a judgment that became known as Schrems I.
In Schrems II, in July 2020, the CJEU struck out Privacy Shield, the successor to Safe Harbour, in a move that created uncertainty for European countries that share data with the US and put pressure on the US to reform its surveillance laws.
Schrems said in a statement: “We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer. This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data.
“The other option would be for the US to change its surveillance laws.”
Facebook initiated proceedings in August 2020 after the DPC reached a preliminary draft decision that the social media company’s European headquarters, Facebook Ireland, should not transfer personal data to Facebook in the US.
The draft decision said: “The data transfers at issue are made in circumstances which fail to guarantee a level of protection to data subjects which is ‘essentially equivalent’ to that provided by EU law – and are in breach of the GDPR [General Data Protection Regulation].”
Any decision by the DPC is likely to be reviewed by the European Data Protection Board, which is made up of 28 EU member states that have the right to make objections.
The judge will make a final order, including costs, after hearing any further submissions from lawyers from each party once they have considered the judgment.
Leave a Reply