The Irish High Court has referred a case about the way Facebook transfers user data across the Atlantic to the US to the EU’s highest court.
The outcome, which could take months to be resolved, could affect thousands of companies who use similar systems.
It is the latest twist in a long-running legal dispute between Austrian law student Max Schrems and the social-media giant.
One expert said that there was “much at stake” in the case.
This particular part of what has become the fiendishly complex case of Facebook v Schrems hinges on so-called standard contract clauses (SCCs) and how the social network uses them to transfer data between Europe and the US.
Technology companies, many of which have data centres dotted around the globe, need to transfer information between them in order to make sure services run efficiently.
The SCCs provide the legal foundation for millions of daily data transfers to the US, Japan, Brazil and many other countries, according to the Business Software Alliance, which acted as an expert in the case.
In response to the ruling, Facebook said: “Standard contract clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business.
“They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.”
It urged the European Court of Justice to consider “the robust protections in place under standard contractual clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe”.
For his part, Mr Schrems accused the Irish Data Protection Commissioner, Helen Dixon, of passing the buck, claiming that she had “refused” to use her power to suspend Facebook’s data flows despite agreeing that there could be issues.
“It is still unclear to me why the DPC is taking the extreme position that the SCCs should be invalidated across the board, when a targeted solution is available,” he said.
“The only explanation that I have is that that they want to shift the responsibility back to Luxembourg instead of deciding themselves.”
Mr Schrems argued that Facebook’s data transfers were invalid because such data could be read by US intelligence agencies.
“In simple terms, US law requires Facebook to help the NSA [National Security Agency] with mass surveillance and EU law prohibits just that,” he said.
“As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”
Chief executive Mark Zuckerberg has gone on record to deny that Facebook had any involvement in Prism, a mass surveillance program described in a series of leaks from ex-National Security Agency contractor Edward Snowden.
The Business Software Alliance said that it would argue that SCCs did protect user data.
“SCCs include important safeguards to protect users – among them, they grant national data protection authorities the power to review specific implementation of these clauses on a case by case basis,” said director general of policy Thomas Boue.
“We will continue to advocate these perspectives before the Court of Justice of the EU.”
Trevor Hughes, president of the International Association of privacy professionals, said that the case was a clear example of privacy versus commercial need and that “much is at stake”.
“The digital economy is based on the flow of data across borders,” he said.
“Many are concerned that restrictions on these flows will limit the growth of economies around the world and create splintered islands for data-driven services.
“Others point to the primacy of privacy concerns and the urgent need to rein in data transfers that do not adhere to national expectations.
“All eyes are now on Luxembourg, where the court will hopefully decide soon to clear the legal uncertainty in this area.”
Kevin Cahill, an investigative journalist who has written extensively on the case for Computer Weekly, believes there is much more at stake.
“This case completely misses the point, which is criminal and unlawful mass surveillance in the UK by the US internet giants including Facebook,” he said.
“[Irish High Court Judge Caroline Costello] was critical of the situation, but her judgement will do nothing to end it.”
“Judge Hogan, in the Irish High Court, already agreed with Max Schrems that what the US was doing, via the companies, was ‘mass and indiscriminate surveillance’… and named Facebook.”
“It is beyond understanding that none of those paid to protect us from an outrage like this have acted for us and our children.”
Brief history of Schrems v Facebook
- Mr Schrems initially filed a complaint against Facebook in 2012, stating that the amount of data being collected on him breached European law
- It was filed to the Irish regulator (the DPC) because that is where Facebook has its European headquarters
- The original complaint became more complex in 2013, following revelations from ex-National Security Agency contractor Edward Snowden about a program dubbed Prism
- Prism, according to a leaked presentation, was a mass surveillance program that allowed the NSA to receive emails, video clips, photos, voice and video calls, social networking details and other data held by Microsoft, Skype, Google, YouTube, Yahoo, Facebook, AOL, Apple and PalTalk.
- In October 2015 the European Court of Justice ruled that an EU-US data sharing system dubbed Safe Harbor was invalid and that all transfers of data must end
- It also ruled that the DPC must investigate Mr Schrems’s original complaint
Fresh twist in Facebook data transfer row