European court asked to rule on Facebook data transfers
LONDON: The European Court of Justice has been asked to consider whether Facebook’s Dublin-based subsidiary can legally transfer users’ personal data to its US parent, after Ireland’s top court said yesterday that there are “well-founded concerns” the practice violates European law.
In a case brought after former US defense contractor Edward Snowden revealed the extent of electronic surveillance by American security agencies, the court found that Facebook’s transfers may compromise the data of European citizens.
The case has far-reaching implications for social media companies and others who move large amounts of data via the internet. Facebook’s European subsidiary regularly does so.
Ireland’s data commissioner had already issued a preliminary decision that such transfers may be illegal because agreements between Facebook and its Irish subsidiary don’t adequately protect the privacy of European citizens. The commissioner asked the High Court to refer this finding to the European Court of Justice because the data sharing agreements had been approved by the European Union’s executive Commission. Ireland’s data commissioner “has raised wellfounded concerns that there is an absence of an effective remedy in US law for a EU citizen whose data are transferred to the US where they may be at risk of being accessed and processed by US state agencies for national security purposes in a manner incompatible” with the EU’s Charter of Fundamental Rights, the High Court said yesterday. Austrian privacy campaigner Maximillian Schrems, who has a Facebook account, challenged this practice through the Irish courts because of concerns that his data was being illegally accessed by US security agencies.
In an earlier ruling in the case, the European Court of Justice found that the socalled Safe Harbor regime, which Facebook previously relied on when transferring data to the US, violated EU law because it didn’t provide effective legal remedies. The Safe Harbor regime had been established in 2000 by the EU executive Commission, which found that US data protection laws were adequate to protect the rights of EU citizens. The Irish Data Commissioner decided to seek judicial review of standard contractual clauses in part because of “the very significant commercial implications arising from the value of data exchanges to EU-US trading relationships.”
The US government and three other parties were allowed to file friend of the court briefs in the case.