Last week, the Irish Supreme Court ruled that the Data Protection Commission (DPC) may proceed its investigation into Facebook. This investigation could result in Facebook no longer being allowed to transfer personal data from the European Union to the United States.
The ban by the DPC followed up on the Schrems II case from last year, in which the European Court of Justice (CJEU) ended the so-called EU-US Privacy Shield. The Privacy Shield was a regulation on the transfer of personal data from the EU to the US. This regulation was supposed to provide a level of protection broadly similar to that within the EU, which after an assessment under the GDPR was found not to be the case. Supervisory legislation in fact mandates the sharing of personal data with the US government.
Read my previous blog about the invalidity of the Privacy Shield here
The CJEU furthermore underlined that the transfer of personal data could still take place on the basis of standard contractual clauses (SCC’s). SCC’s contain agreements about the processing of personal data and were already in use before the introduction of the Privacy Shield. Like the Privacy Shield, SCCs are only valid if they contain the same or better privacy safeguards than the European rules on that matter. In this regard, the CJEU ruled that privacy regulators must suspend or prohibit data transfers once another country cannot ensure their protection.
Judgment of the Irish High Court
In Schrems II, the CJEU ruled that DPC must investigate Facebook. DPC started this investigation in August, shortly after the CJEU ruling, and a preliminary decision soon followed: Facebook was no longer allowed to use SCCs to meet European privacy legislation. This effectively demanded a ban on the transfer of European personal data to the US.
Facebook appealed and fought both the investigation and the preliminary draft decision. To this end, the social media platform raised numerous arguments. Facebook argued that – after a period of seven years – the preliminary decision was presumptuous. Furthermore it cited the right to be heard, and also warned of the irreversible and devastating consequences for Facebook and its 410 million active European users.
The Supreme Court rejected the appeal. According to the Irish court, Facebook did not provide any valid reasons to challenge the regulator’s decision.There was also ”no basis” for questioning the DPC’s methods.
Leading role Irish privacy watchdog
With this ruling, the Irish regulator can continue its investigation into a possible infringement of European privacy rules by Facebook. In addition, the company might be faced with a large fine. Along names like Google and Apple, Facebook is not the only U.S. tech company that established its European headquarters in Ireland. The Irish DPC therefore has a leading role when it comes to the enforcement of European privacy laws.
The DPC’s final decision, may also set the course for many other companies under Irish jurisdiction. Therefore, this intervention at Facebook could be the first of many. Should the regulator implement the preliminary decision, this would mean the end of the privileged access that American companies currently have. American companies would thereby be put on an equal footing with companies from other countries.
This ruling brings an end to the seventh lawsuit in a long-running battle between Schrems, the DPC and Facebook. Schrems is an Austrian privacy activist who filed a complaint against Facebook in 2013. He argued that personal data at Facebook was not secured because it was on U.S. servers, and therefore subject to U.S. law. In a separate settlement, the DPC promised Schrems, among other things, to implement the complaint procedure promptly after this ruling.
The Irish regulator will therefore have to apply Schrems II soon. If it is established that SCCs are insufficient for providing the same or better privacy safeguards than European rules. this results in a ban on the transfer of European personal data to the US. This will also have consequences for other companies that transfer personal data that way. Because in that case European providers will have to suspend the transfer of data and/or terminate the agreement with American recipients.