The High Court in Ireland has dismissed Facebook’s lawsuit against the Irish Data Protection Commission’s preliminary draft decision to ban the social networking giant from using standard contractual clauses’ to transfer the data of EU residents to the US.
Last year, the Irish DPC told Facebook it could no longer use ‘standard contractual clauses’ to transfer the data of EU residents to the US. With the European Court of Justice invalidating the EU-US Privacy Shield that allowed the transfer of personal data between the two regions, businesses could still use standard contractual clauses to transfer data to the US.
The preliminary view of the Data Protection Commission was that Facebook’s data transfers failed to guarantee the level of protection to data subjects that is afforded by the GDPR and that pursuant to the DPC’s powers under Article 58 of GDPR, the data transfers should be suspended.
The regulator arrived at this decision not long after the European Court of Justice invalidated the EU- US Privacy Shield that allowed the transfer of personal data between the two regions, stating that since the requirements of U.S. national security, public interest, and law enforcement have primacy, the Privacy Shield does not protect personal data from being accessed by U.S. public authorities for various reasons.
Responding to the DPC’s preliminary findings, Yvonne Cunnane, Facebook’s Head of Data Protection and Privacy, said that if adopted, the preliminary decision is “likely to have significant adverse effects upon the Applicant, its business and on the many millions of individuals and businesses who use its services.”
Facebook filed a lawsuit in September last year, alleging that the Irish DPC had already formed an opinion and did not expect Facebook to be in a position to persuade it via a detailed response to the Preliminary Draft Decision. Stating that the Irish DPC did not make any attempt to gather information from Facebook prior to or after sending the letter on 28th August, Cunnane said it also did not follow its own “12-stages” of a statutory inquiry which were mentioned in the DPC’s 2018 Annual Report.
In the lawsuit, filed by Facebook Ireland Ltd in the High Court in Dublin, Cunnane also alleged that the DPC chose to initiate the new inquiry even though a previous broad-based inquiry, based on similar data protection concerns, was in process. The Commissioner also chose to arrive at a preliminary view even though the European Data Protection Board (EPDB) has set up a task-force to examine the ECJ’s judgment and to support data controllers to identify and implement measures to ensure adequate protection when transferring data to third countries.
Lastly, Cunnane also alleged that the Irish DPC has not initiated a similar inquiry into data transfers conducted by other companies within its jurisdiction, indicating Facebook is being singled out as a lot of companies are presently using ‘standard contractual clauses’ to transfer the data of EU residents to the US.
On Friday, the High Court dismissed Facebook’s lawsuit, stating that Facebook Ireland “has not established any basis for impugning the DPC decision or the PDD or the procedures for the inquiry adopted by the DPC.” The judgment is in line with the European Court of Justice’s decision in July last year which found the DPC’s enquiry mechanism to be valid.
If the final decision of the DPC does not differ from its preliminary draft decision, then Facebook will not be able to transfer the data of 410 million European users to the US. This could pose significant damage to its revenue generation and future prospects in the continent. Despite the High Court deciding against its plea, Facebook has vowed to carry on the fight.
“We look forward to defending our compliance to the IDPC, as their preliminary decision could be damaging not only to Facebook but also to users and other businesses,” a spokesperson said. If the DPC’s final decision is uniformly applied to all US businesses operating in Europe, it could affect their business prospects as well.
“The recent decision by data regulators in Ireland to block user data transfers in regard to EU privacy laws needs to be taken seriously by US businesses who rely on joint commerce with the EU. This is a sign of the type of tribulations that US data-rich businesses could see more of since the EU-US Privacy Shield agreement was struck down by the EU Court of Justice,” said Chris Strand, Chief Compliance Officer at IntSights.
“The decision will impact both sides of the Atlantic, but in particular, it could adversely affect many US Tech companies who have a significant investment in business operations located in Ireland. That’s why this particular ruling is even more concerning with the number of US European headquarters located in Ireland.
“I believe that the decision is meant to be a stern statement by the EU member state (and one that has extensive transatlantic data transfers in place with the US) to put its foot down on the concerns regarding the processing, surveillance, and collection of EU data in the US.
“However, careful consideration should be practiced and hopefully these types of rulings will lead to escalating the arrangement for a follow-on agreement since the impact to EU data-driven businesses could be considerable as they will have reduced access to US tech resources and the default needed to conduct global business,” he added.