Europe’s highest court has set Ireland on a collision course with the US after ordering the Irish data protection commissioner (DPC) to investigate a complaint that Facebook failed to protect ordinary EU citizens’ information from large-scale US surveillance.
The European Court of Justice (ECJ) made the demand in a ruling on Tuesday that rewrote the rules of engagement on privacy issues between Brussels and national data regulators, and scrapped a 15-year-old agreement allowing US companies to expedite transfers of EU citizens’ data across the Atlantic.
The so-called Safe Harbour agreement simplified such transfers for companies that promised their EU customers’ data would be stored to “adequate” EU standards.
But the ECJ found the European Commission had neither the legal means to police this agreement nor the power to prevent US intelligence from collating EU citizens’ data.
Rather than wait for a successor agreement, the court dismissed the existing arrangements as a breach of EU data rules and fundamental rights of EU citizens.
Given the far-reaching economic consequences of the case taken by Austrian privacy campaigner Max Schrems, the European Commission insisted it would soon conclude a new data deal with the US and that data channels remained open for businesses.
The ECJ ruling has significant consequences for Ireland, too, given the number of global technology companies with their European and international headquarters in Dublin, including Google and Facebook.
The DPC said the case with Mr Schrems would return to the High Court on Wednesday for it to apply the ECJ conclusions in line with judicial review proceedings.
The DPC declined requests for further comment. However, privacy advocacy group Digital Rights Ireland (DRI) said the ECJ judgment rejected explicitly the treatment of data as a commodity.
“This is a decision about individual citizens and their rights not as consumers but as citizens,” said Simon McGarr, a solicitor who works regularly with DRI.
Minister for Data Protection Dara Murphy said Irish authorities had acted in good faith and called on the EU and US to conclude discussions on the replacement for Safe Harbour.
Effectively, the ECJ has ordered Ireland’s DPC to be a more proactive regulator, dismissing a claim that it was precluded from investigating a complaint filed about Facebook’s data practices by Mr Schrems.
Former data commissioner Billy Hawkes dismissed the Schrems complaint as “frivolous and vexatious”, pointing to a 2000 European Commission ruling that Safe Harbour offered “adequate” data protection.
Mr Schrems filed a judicial review to the decision at the High Court, which in turn requested clarification from Luxembourg.