The Irish High Court released its judgement in a case against Facebook. The court agreed with the Irish Data Protection Commissioner’s (DPC) concerns and found that channels that Facebook and other companies use for data transfer from the EU to the US might be illegal.
The reason it might be illegal is because the data privacy of EU citizens is threatened by the massive digital surveillance of the US government. This includes the massive surveillance programs PRISM and Upstream which Edward Snowden famously uncovered.
The Irish court has referred the issue to CJEU, Europe’s highest court, to reach a definitive decision on the validity of the data transfer.
OUR FIRST STATEMENT on #Facebook/#PRISM/@Snowden: https://t.co/jB9lCYMyhp
Executive Summary by the High Court: https://t.co/ncE7cQuqtF pic.twitter.com/2v1iVtgygF
— Max Schrems (@maxschrems) October 3, 2017
Why is Facebook transferring data between the EU and the US?
Facebook is split up into two companies: Facebook Inc., the parent company, and Facebook Ireland Ltd., which operates the company’s international business outside of the US and Canada (85.9 percent of all FB users). Facebook Ireland Ltd. sends all its user data to its parent company in the US, which is why the case is being tried in Ireland.
This transfer of data to the parent company means that personal data of EU citizens is stored where the US government could employ its questionable mass digital surveillance — and possibly infringe upon the fundamental rights of the EU citizens to privacy. This is what Max Schrems — who filed the original complaint against Facebook back in 2013 — and the Irish DPC are fighting against.
The star of the show: SCC
Technically speaking, the EU bans all data transfers from Europe to any country outside the EEA. However, there’s an exception to the law which Facebook, along with other companies, utilizes to transfer data from Europe to the US. This exception is called SCC (Standard Contractual Clauses) and is at the very center of the case.
In the ruling on October 3, the Irish High Court stated that the DPC “raised well-founded concerns as to the validity of the [SCC] decisions and the court shares those concerns.” That’s why the court has decided to refer questions about the validity of SCC to CJEU, Europe’s highest court, to determine definitively if it’s infringing on EU citizen’s privacy.
What’s important to note is that this isn’t the first case where the CJEU will rule on a regulation regarding Facebook’s data transfers to its parent company in the US. Back in 2015, the CJEU invalidated Safe Harbor — another exception to EU’s strict privacy laws that Facebook made us of before SCC — after Schrems’ court case.
It’s therefore clear that the CJEU’s next ruling on SCC could have massive impact on data transfer from Europe. Especially because companies won’t have another exception to grab on to.
What happens next?
The next step is that the Irish High Court will gather case’s parties on October 11 to agree on the precise questions that will be referred to the CJEU. Soon after that, the actual referral to the CJEU will take place.
The ruling of the Irish High Court on SCC will therefore have no immediate effect on Facebook’s — or any other company’s — data transfers between the US and Europe. No actual disruption (depending on the verdict) will happen until the CJEU rules on the validity of SCC, which can take up to one and half years. However, people disagree on what that ruling should look like.
First quick statement on High Court ruling.. #CJEU #SCCs @Snowden #Facebook #Referral #Dublin #HighCourt pic.twitter.com/hXQx1lBmx6
— Max Schrems (@maxschrems) October 3, 2017
Schrems believes that it would be enough to employ Article 4 of the SCC to specifically target and stop Facebook’s data sharing. However, according to Schrems’ video and aforementioned statement, the DPC wants a more systematic overhaul, which targets the entire SCC. The Irish High Court agreed with the DPC’s concerns and that’s why questions about the validity of the entire SCC will be referred to the CJEU.
A Facebook spokesperson told TNW that the Irish court’s ruling had no effect on the company’s operations, but emphasized that the SCC was essential to companies of all sizes that operate to some degree in the US or elsewhere in the world.
“It is essential that the CJEU now considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe,” said Facebook’s spokesperson.
Whatever the CJEU’s ruling will be on SCC, it’s certain that it will have huge implications, both inside and outside of Europe. One of those implications could be to define how far countries go with mass surveillance, as Schrems points out, including EU countries.