Irish watchdog’s case against Facebook to be heard in Europe’s highest court
Data Protection Commissioner action could have major impact on firm’s business model
Max Schrems, Austrian privacy activist. Photograph: Joe Klamar/AFP/Getty Images
But this time Schrems is no longer the complainant but sees himself as a defendant, alongside the social media company, in a high-profile case taken by Ireland’s Data Protection Commissioner (DPC).
The DPC case, which arrives in Luxembourg after stops in the State’s commercial and supreme courts, will examine whether Facebook data transfers to the US meet EU privacy standards, and whether the Irish authority is legally entitled to adjudicate on such matters.
Any ruling could have a profound impact on Facebook’s business model in Europe and Ireland’s reputation both as a tech hub and regulator of the industry.
In 2013, Mr Schrems, then a Viennese law student, filed a complaint with the DPC that Facebook’s EU subsidiary in Dublin was collecting more data from European users than permitted by EU privacy law.
He broadened his complaint after claims by Edward Snowden that US intelligence had secured back-door access to Facebook user data. After the DPC declined to examine the complaint, Mr Schrems took a High Court case, which, in turn, sought clarification from the European Court of Justice (CJEU) in Luxembourg.
In a landmark 2015 decision, the CJEU dismissed the European Commission’s “Safe Harbour” data transfer arrangements with the US and ordered that the DPC investigate the Schrems complaint.
After the ruling, the DPC revealed that Facebook did not use Safe Harbour for data transfers but another channel, known as standard contractual clauses (SCC).
Mr Schrems modified his complaint to include SCCs and the DPC began an investigation into whether this allowed mass processing by US intelligence of EU citizens’ data on Facebook servers.
Instead of making a finding, the DPC instead filed a case in 2016 at the High Court against Facebook and Max Schrems with the aim of directing further questions to the CJEU.
After a six-week hearing, the High Court in Dublin ruled that the US federal government was carrying out a mass processing of EU citizens’ personal data and submitted 11 questions to the CJEU.
After today’s hearing in the main chamber, a ruling is expected by the end of the year.
Six years after the original Schrems complaint was filed, the DPC has yet to make an official finding on whether Facebook’s data transfers – taking place on its watch in Dublin – are compatible with EU law.
The DPC says it has no competence to rule on this matter, while Facebook insists its actions are covered by the EU-US Privacy Shield, the successor to defunct Safe Harbour provisions. The company launched – and lost – a Supreme Court action to block the latest referral to Luxembourg.
“This case has been outstanding for six years,” said Mr Schrems, founder of privacy lobby group noyb. “In this six years the DPC has made decisions in just 2 to 3 per cent of cases lodged with it. We have no problem with SCCs, we have a problem with the implementation of the law.”