Austrian lawyer Max Schrems has stepped up pressure on the Irish data protection commissioner to take action over Facebook, following a judgment by the European Court of Justice to strike down the EU-US data-sharing agreement, Privacy Shield.
Schrems’ lawyers have written to the Irish data protection commissioner (DPC), Helen Dixon, demanding that she sets out a clear timetable for the regulator to make a decision on the legality of Facebook Ireland’s transfer of EU citizens’ data to Facebook in the US.
Schrems filed a complaint with the DPC in Dublin in 2013, arguing that Facebook’s European headquarters in Ireland were illegally sharing his personal data with Facebook in the US, in breach of European data protection and human rights law.
In a letter to lawyers representing the Irish DPC on 27 June, Schrems said the commissioner had yet to act on his complaint against Facebook after seven years.
He pointed out that the European Court of Justice (CJEU) found in its judgment that complaints to data protection authorities must be investigated “promptly and with all due diligence and speed”.
And a judgment by the Irish High Court recorded that the Irish DPC had given an undertaking in 2015 that the complaint would “be investigated with all due diligence and speed”.
Schrems’ letter added: “It is surprising that, in the light of the background set out above, your letter, eight days after the CJEU judgment, provides no detail in respect of a timeline in order to bring the complaint to a conclusion.”
Schrems’ complaint followed revelations by former US National Security Agency whistleblower Edward Snowden that US intelligence agencies and other government bodies had access to private data on European citizens on Facebook and other tech companies.
The CJEU found that US surveillance laws – which enable the US to harvest private data of non-US citizens – were not proportionate, went beyond what was strictly necessary, and did not offer EU citizens privacy protections equivalent to those under EU law.
The Irish DPC argued in a letter from its solicitors on 20 July that although the CJEU’s findings were clear, implementing them was “not without complexity”.
The letter said the commissioner “is presently formulating a position setting out the means by which it will give full effect to the court’s findings”, which it said “are transformative of the law in relation to EU/US data transfers”.
Read more about the end of Privacy Shield
- Businesses will have to conduct legal assessments to ensure they can transfer data from the EU to the US and other countries, following a European Court of Justice ruling.
- The European Court of Justice has struck down Privacy Shield, the EU-US data-sharing agreement, creating uncertainty for European countries and pressuring the US to reform surveillance laws.
- A ruling by the European Court of Justice will have ramifications for hundreds of thousands of companies that share data with the US.
- At the end of this year, the UK will no longer be subject to the EU’s treaties, opening the way for it and the US to finalise a new trade relationship. Could the UK leave EU data protection standards behind?
- The striking down of Privacy Shield has been hailed as a victory for digital rights and privacy campaign groups, but will it have consequences that go beyond transatlantic data transfers?
Any enforcement steps must respect the rights of all parties to due legal process, said the letter addressed to Schrems’ lawyer.
“Such matters cannot be dispensed with simply because your client considers it useful, for his own purposes, to seek to impose particular timeframes on a unilateral – and arbitrary basis.”
Eleonor Duhs, director in law firm Fieldfisher’s privacy and information law group, said it would be normal practice for the Irish High Court, which referred the case to the CJEU, to consider the court’s ruling before the Irish DPC made a decision on Schrems’ complaint.
Schrems is demanding copies of documentation from Facebook relating to his complaint, and has asked the DPC to clarify, by the end of July, the legal basis that Facebook is relying on to transfer data to the US.
He said there is no reason why Dixon cannot make a final decision by 1 October 2020 on the lawfulness of Facebook’s transfer of data to the US.
Schrems said in a statement that he would work with his campaigning company, nyob, to “take every step necessary” to ensure that data controllers and data protection authorities implement “the clear decision” of the CJEU.
“Making sure that the Irish DPC finally takes a decision after seven years and five rulings by the Irish and European courts is only one of our options,” he said.
Read more on Regulatory compliance and standard requirements
All EU states can take data protection cases against Facebook, says EU court
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Facebook takes legal action against Irish privacy watchdog
Irish privacy watchdog orders Facebook to stop sending user data to the US