BRUSSELS/DUBLIN (Reuters) - Data transfers to the United States by companies such as Facebook and Google face a renewed legal threat after the Irish privacy watchdog said on Wednesday it would refer Facebook’s data transfer mechanisms to the top EU court.
The move follows an Irish investigation into Facebook’s transfer of European Union users’ data to the United States to ensure that personal privacy is properly protected from U.S. government surveillance.
Facebook, like many other tech companies, has its European headquarters in Dublin and is regulated by the Irish Data Protection Commissioner (IDPC).
The IDPC said it would ask the Court of Justice of the European Union (CJEU) to determine the validity of Facebook’s “model contracts” - common legal arrangements used by thousands of firms to transfer personal data outside the 28-nation EU.
Its investigation into the California-based company was ordered by Ireland’s High Court in October after the CJEU struck down Safe Harbour, an EU-U.S. agreement that had allowed the free transfer of data between the European Union and the United States. The CJEU ruled the agreement did not sufficiently protect Europeans’ information against U.S. surveillance.
Transfers of Europeans’ personal information to the United States have been a hot topic since 2013 revelations about mass U.S. surveillance programmes such as Prism, which allowed U.S. authorities to harvest private information directly from big tech companies such as Apple, Facebook and Google.
Since the CJEU ruling, companies have had to rely on model contracts and other, more cumbersome, measures to transfer Europeans’ data to the United States in compliance with strict EU data privacy rules.
“Thousands of companies transfer data across borders to serve their customers and users,” a spokeswoman for Facebook said. “The question the Irish DPC plans to raise with the court regarding standard contract clauses will be relevant to many companies operating in Europe,” she said, adding that Facebook has a number of legal ways of moving data to the United States.
The CJEU ruling in October stemmed from a complaint by Austrian law student and privacy activist Max Schrems. He challenged Facebook’s transfers of European users’ data to its American servers, citing the risk of U.S. snooping.
“We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under standard contractual clauses,” the IDPC said.
One of the reasons the ECJ struck down Safe Harbour is because the agreement did not offer EU citizens sufficient channels to complain about U.S. surveillance.
Schrems and other privacy campaigners contend that alternative arrangements such as model clauses don’t offer Europeans any means of redress either.
“There is no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these U.S. surveillance laws,” Schrems said in a statement on Wednesday.
After the CJEU ruling in October, the EU Commission and the United States rushed to hash out a new data-sharing agreement, the Privacy Shield, which they are hoping to have up and running by the end of June.
However, EU privacy watch dogs have raised a number of concerns about the framework, heightening fears that it might not withstand a court challenge.
“If the courts decide that the standard contractual clauses cannot be relied upon and that the transfers of personal data which they facilitate must be halted, the effect on international business would be catastrophic,” said Oliver Yaros, a lawyer at Mayer Brown.
Editing by Susan Fenton and David Clarke