Challenge to data transfer tool used by Facebook will go to Europe’s top court

Facebook has bought itself a little more time over a major legal challenge in Europe after the Irish High Court decided not to strike down a b2b mechanism it uses to transfer user data between its EU and U.S. businesses for processing. Rather the court said today that it will refer legal questions over so-called Standard Contractual Contracts (SCCs) to Europe’s top court, the ECJ, for a preliminary ruling.

This means it could take around 1.5 years before there is a judgement, and Facebook can continue to use SCCs in the meanwhile instead of being forced to suspend these data transfers.

The challenge to Facebook’s use of SCCs was brought by European privacy campaigner and lawyer Max Schrems. He had originally complained to the Irish data protection commissioner (DPC), asking it to suspend data flows in Facebook’s case. But while the DPC agreed there are legal questions over the mechanism it decided to refer the issue to the High Court to consider the legality of SCCs as a whole.

The five-week court hearing in what is a complex case delving into detail on US surveillance operations took place in February. The court issued its ruling today.

The 153-page ruling starts by noting “this is an unusual case”, before going into a detailed discussion of the arguments and concluding that the DPC’s concerns about the validity of SCCs should be referred to the European Court of Justice for a preliminary ruling.

Schrems is also the man responsible for bringing, in 2013, a legal challenge that ultimately struck down Safe Harbor — the legal mechanism that had oiled the pipe for EU-US personal data flows for fifteen years before the ECJ ruled it to be invalid in October 2015.

Schrems’ argument had centered on U.S. government mass surveillance programs, as disclosed via the Snowden leaks, being incompatible with fundamental European privacy rights. After the ECJ struck down Safe Harbor he then sought to apply the same arguments against Facebook’s use of SCCs — returning to Ireland to make the complaint as that’s where the company has its European HQ.

It’s worth noting that the European Commission has since replaced Safe Harbor with a new (and it claims more robust) data transfer mechanism, called the EU-US Privacy Shield — which is now, as Safe Harbor was, used by thousands of businesses. Although that too is facing legal challenges as critics continue to argue there is a core problem of incompatibility between two distinct legal regimes where EU privacy rights collide with US mass surveillance.

Schrems’ Safe Harbor challenge also started in the Irish Court before being ultimately referred to the ECJ. So there’s more than a little legal deja vu here, especially given the latest development in the case.

In its ruling on the SCC issue, the Irish Court noted that a US ombudsperson position created under Privacy Shield to handle EU citizens complaints about companies’ handling of their data is not enough to overcome what it described as “well founded concerns” raised by the DPC regarding the adequacy of the protections for EU citizens data.

(Although, in a further irony, a permanent ombudsperson has yet to be appointed by the Trump administration.)

The exact questions that will to be referred by the court to the CJEU will be decided at a later date this month.

Making a video statement outside court in Dublin today, Schrems said the Irish court had dismissed Facebook’s argument that the US government does not undertake any surveillance.

https://twitter.com/maxschrems/status/915168555745849344

In a written statement on the ruling Schrems added: “I welcome the judgement by the Irish High Court. It is important that a neutral Court outside of the US has summarized the facts on US surveillance in a judgement, after diving through more than 45,000 pages of documents in a five week hearing.

“I am of the view the Standard Contractual Clauses are perfectly valid, as they would allow the DPC to do its job and suspend individual problematic data flows, such as Facebook’s. It is still unclear to me why the DPC is taking the extreme position that the SCCs should be invalidated Facebook across the board, when a targeted solution is available. The only explanation that I have is that they want to shift the responsibility back to Luxembourg instead of deciding themselves.”

On Facebook, he also said: “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that. As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”

We’ve reached out to Facebook for comment and will include the company’s response when we have it. Update: A company spokesperson has now provided the following statement via email:

Standard Contract Clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.

This ruling will have no immediate impact on the people or businesses who use our services. However it is essential that the [ECJ] now considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.

While Schrems’ original complaint pertained to Facebook, the Irish DPC’s position means many more companies that use the mechanism could face disruption if SCCs are ultimately invalidated as a result of the legal challenge to their validity.

Responding to today’s ruling, the BSA — one of the amicus curiae in the case speaking up for the importance of SCCs as “a basis for data transfers that are essential to the economy and job creation on both sides of the Atlantic” — said in a statement: “We have argued that this case should not be about standard contractual clauses in their entirety, but instead about how the clauses were formulated and used for the specific transfers involved here. We also explained that the SCCs include important safeguards to protect users — among them, they grant national data protection authorities the power to review specific implementation of these clauses on a case by case basis. We will continue to advocate these perspectives before the Court of Justice of the EU.”

Europe’s influential Article 29 Working Party, which is made up of representatives from all the data protection authorities of the Member States, has previously voiced concerns about SCCs. It also has ongoing concerns about Privacy Shield.

The latter mechanism underwent its first annual review by EU officials in the US last month — and a report is due this month. Although the EC, which drove the process to replace the defunct Safe Harbor, was quick to profess itself publicly satisfied with what it has seen.