The Irish High Court will issue a judgment on a legal challenge by Facebook to overturn a draft decision by Ireland’s data protection commissioner to suspend the company’s data-sharing with the US.
The news follows a last-minute agreement between privacy campaigner Max Schrems and the data regulator, who were due to be in court today.
The judge, Justice Barniville, said he planned to make a decision on the case “as soon as possible”, pending other cases.
The court was due to hear a legal challenge by Schrems, an Austrian lawyer based in Vienna, against the data protection commissioner’s (DCP’s) decision to issue the draft order against Facebook halting its data transfers to the US.
Schrems said he was concerned that DCP Helen Dixon’s draft decision against Facebook would lead to further delays and would adversely effect the regulator’s investigation into his own complaints into Facebook.
He also claimed that the DPC’s inquiry, which the regulator took of its “own volition”, would fail to fully examine the legal grounds that Facebook is relying on to transfer data from the EU to the US.
Schrems resolved his case against the DPC on 13 January following an exchange of letters agreeing how his complaint would be addressed, avoiding the need for a hearing.
The privacy activist first filed a complaint to the DPC against Facebook in 2013, amended in 2015, which has yet to reach a resolution.
Schrems argues that the social media company is in breach of data protection law by exporting data on European citizens to the US. He claims that European data is subject to mass surveillance by the US National Security Agency with few legal safeguards to protect the privacy of EU citizens.
Facebook sues Irish data regulator
Facebook began its own proceedings against the DPC in August 2020 after the regulator disclosed that it had made a draft decision that Facebook Ireland should not transfer personal data out of the EU to its US parent, Facebook Inc.
The DPC said Facebook’s data transfers failed to guarantee a level of protection to data subjects equivalent to those provided for in EU law.
The draft order followed a landmark judgment by the Court of Justice of the European Union in July 2020, which struck out the EU-US Privacy Shield agreement.
On Wednesday 13 January 2021, lawyers representing Schrems said the inquiry into Schrems’ complaint was to proceed as outlined in a letter from the DPC of 12 January 2021. This meant the court did not have to resolve the issues in Schrems’ case, apart from costs.
Justice Barniville agreed to adjourn the Schrems case until after he has delivered judgment on the Facebook case. He said he hoped to give judgment as soon as possible, but he had a number of other judgments to prepare and deliver first.
Earlier, the judge said he had received witness statement on behalf of the DPC and Facebook relating to the number of inquiries undertaken by the DPC of its own volition since 2018.
The court heard that the DPC had undertaken 83 “own volition” inquiries, of which 27 were cross-border inquiries. Facebook was a party to 11 of the cross-border inquiries.
The only outstanding issue in the proceedings relate to legal costs. The parties have agreed that costs can be decided by Justice Barniville following the delivery of his judgment in Facebook’s case.
Schrems says ‘walls closing in’ on Facebook
Following an agreement with the DPC, Schrems said the commissioner’s inquiry into Facebook would hear his representations and would also receive copies of all submissions by Facebook, if the court allows the DPC’s draft order to go ahead.
Schrems said in a statement that the “walls are closing in” on the social media company. “Multiple courts have now held that the DPC must investigate this complaint,” he said.
Gerard Rudden, solicitor for Schrems, said the DPC had largely agreed with Schrems that Facebook cannot continue transferring data to the US.
“When it comes to the question of whether Facebook can continue to transfer data to the US, the DPC has largely been in agreement with us before the courts,” he said.
“It repeatedly took the firm view that Facebook cannot continue to transfer EU data to the US. However, the DPC has not issued a decision to that effect in 7.5 years.”
Schrems said the DPC and had also agreed that the case would be dealt with under the General Data Protection Regulation (GDPR) rather than the Irish Data Protection Act that was in force before 2018.
Max Schrems’ long battle with Facebook
26 July 2000: The European Commission makes a decision to allow data transfers between the EU and the US between organisations that self-certify as being compliant under Safe Harbour. European regulators have the right to suspend data transfers if the principles of Safe Harbour are breached.
25 June 2013: Max Schrems makes a formal complaint to the Irish Data Protection Commission against Facebook Ireland. He cites probable cause that Facebook is breaking the Irish Data Protection Act and the European Data Protection Directive by providing “mass access” to data on European citizens to the NSA.
25 July 2013: The Data Protection Commission Ireland rejects Schrems’ complaint, arguing it is frivolous and vexatious.
18 June 2014: In the Irish High Court, judge Desmond Hogan asks the European Court of Justice to determine whether the Irish Data Protection Commission is bound by the Safe Harbour Agreement. The judgment found that the US routinely accesses personal data on a “mass and undifferentiated basis”.
20 November 2015: Facebook Ireland signs an agreement with Facebook Inc to transfer data on Facebook’s European customers to the US using standard contractual clauses (SCCs), as an alternative to Privacy Shield.
1 December 2015: Schrems files an updated complaint with the Irish DPC. He asks the Irish data protection commissioner to make a ruling prohibiting transfers of data between Facebook Ireland and Facebook Inc in the US on the grounds that Facebook Inc is illegally making his data available to US intelligence through the Prism collection program.
7 February 2017: The Data Protection Commission Ireland begins legal action in the commercial court in Dublin against Facebook and Schrems. Helen Dixon argues that the court should require the European Court of Justice to decide if transatlantic data transfer channels breach privacy rights of EU citizens. The US government argues that the case could have sweeping commercial ramifications.
3 October 2017: The Irish High Court decides to ask the ECJ to rule over the validity of data transfers between the EU and the US.
12 April 2018: The Irish High Court proposes 11 questions for determination by the European Court of Justice that will test whether companies can legally transfer data to the US in the light of disclosures by Edward Snowden that the US is engaged in large-scale surveillance of EU citizens.
9 May 2018: The Irish High Court refers 11 questions over the validity of SCCs and Privacy Shield to the ECJ.
1 November 2018: Facebook makes an unprecedented appeal to the Irish Supreme Court in an attempt to halt the Irish High Court referring questions over the validity of EU-US data transfer agreements to the European Court of Justice.
21-23 January 2019: The Supreme Court in Dublin hears a three-day appeal from Facebook against a decision by the Irish High Court to refer 11 questions about the legality of data transfers between Europe and the US to the ECJ, in which the US government gives evidence. The Irish Data Protection Commission argues that Facebook is attempting to head off an adverse finding by the European court that SCCs are illegal.
12 December 2019: The Advocate General Henrik Saugmandsgaard Øe finds in a primary opinion that standard contractual clauses are lawful, but raises questions over the impact of US surveillance on the legality of Privacy Shield.
27 June 2020: Schrems’ lawyers write to the Irish data protection commissioner demanding that she sets out a clear timetable for the regulator to make a decision on the legality of Facebook Ireland’s transfer of EU citizens’ data to Facebook in the US.
16 July 2020: Europe’s highest court strikes out the EU-US Privacy Shield agreement, overturning the legal basis that allows more than half a million US companies to exchange data with Europe.
23 July 2020: The European Data Protection Board (EDPD) issues guidelines on the use of Standard Contractual Clauses as a legal mechanism to send data overseas, advising companies to undertake a case by case analysis and to consider what supplementary measures could be put in place to mitigate privacy.
August 2020: The Irish Data Protection Commissioner sends Facebook a preliminary order to stop transferring data from the EU to the US.
12 August 2020: The EU and the US begin talks over a possible successor to the Privacy Shield agreement that could put data-sharing between the EU and the US on a legal footing
19 August 2020: Facebook suggests in a letter that, after the European Court of justice struck down Privacy shield and raised questions about the lawfulness of Standard Contractual Clauses, it is relying on a new legal basis to share data with the US: the necessity to process data in the US under a contract with its users.
9 September 2020: Nick Clegg, Facebook’s VP of Global Affairs and Communications, warns in a blog post that the Irish Data Protection Commissioners draft order to suspend data sharing with the US could have far reaching effects on businesses that rely on SCCs and on online services in general.
10 September 2020: Facebook files a judicial review against the Irish Data Protection Commissioner, challenging a preliminary order requiring Facebook to suspends data transfers to the US.