The European Court of Justice has been asked to consider whether Facebook’s Dublin-based subsidiary can legally transfer users’ personal data to its US parent, after Ireland’s top court said Tuesday that there are “well-founded concerns” the practice violates European law.
In a case brought after former US defense contractor Edward Snowden revealed the extent of electronic surveillance by American security agencies, the Irish court found that Facebook’s transfers may compromise the data of European citizens.
The case has far-reaching implications for social media companies and others who move large amounts of data via the internet. Facebook’s European subsidiary regularly does so.
Ireland’s data commissioner had already issued a preliminary decision that such transfers may be illegal because agreements between Facebook and its Irish subsidiary don’t adequately protect the privacy of European citizens. The Irish High Court is referring the case to the European Court of Justice because the data sharing agreements had been approved by the European Union’s executive Commission.
Ireland’s data commissioner “has raised well-founded concerns that there is an absence of an effective remedy in US law for an EU citizen whose data are transferred to the US where they may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible” with the EU’s Charter of Fundamental Rights, the Irish High Court said Tuesday.
Austrian privacy campaigner Maximillian Schrems, who has a Facebook account, had challenged this practice through the Irish courts because of concerns that his data was being illegally accessed by US security agencies.
“US citizens would not be allowed to have such mass surveillance as for European citizens and we have to protect our citizens,” Schrems said. “And actually, Europe protects anybody because we see it as a human right, not as a citizens’ right.”
Facebook said standard contract clauses provided critical safeguards and that such safeguards are used by thousands of companies to do business.
“They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption,” the company said in statement.
It added that it was important that the European court “now considers the extensive evidence demonstrating the robust protections in place under standard contractual clauses and US law before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.”
In an earlier ruling in the case, the European Court of Justice found that the so-called Safe Harbor regime, which Facebook previously relied on when transferring data to the US, violated EU law because it didn’t provide effective legal remedies. The Safe Harbor regime had been established in 2000 by the EU executive Commission, which found that US data protection laws were adequate to protect the rights of EU citizens.
The Irish Data Commissioner decided to seek judicial review of standard contractual clauses in part because of “the very significant commercial implications arising from the value of data exchanges to EU-U.S. trading relationships.”
The US government and three other parties were allowed to file friend of the court briefs in the case. The others are the BSA Business Software Alliance, a trade association whose members include Apple, Microsoft and Intel; Digital Europe, which represents the region’s digital technology industry; and the Electronic Privacy Information Center, a US civil liberties group.