Facebook crusader Max Schrems returned to the Irish courts today to hear the nation’s Data Protection Commissioner (the DPC) solemnly promise that yes, it would investigate data flows out of Europe.
The court ordered the DPC, which had refused to investigate, to pay Schrems' costs.
Four years ago Schrems filed 22 complaints about Facebook with the DPC, because Facebook’s European headquarters are in the Republic. Unsatisfied by the response, he then sued the DPC.
Following the revelations of the USA’s PRISM program, Schrems filed another salvo of lawsuits which culminated in a bombshell verdict by the European Court of Justice two weeks ago.
The ruling had the effect of taking concerns raised by European individuals into the hands of the data protection authorities in each of the EU’s 29 member states. Hence the Irish DPC’s decision that it should look into Schrems’ Facebook complaints after all.
The ECJ invalidated the ‘Safe Harbour’ legal arrangement that US companies have with the European superstate. The court ruled that because of permissive legislation in the USA, and the PRISM programme, Europeans couldn’t be ensured that their data was safe once transferred outside the EU, to the USA. Therefore the legal fudge of ‘Safe Harbour’ – a fudge worked out at EU level – couldn’t be maintained.
“The question of massive and indiscriminate surveillance is a key element of the Court’s analysis,” the Article 29 working group of member states’ DPRs stressed in a statement (pdf) issued on Friday.
Schrems’ NGO, Europe vs Facebook, has a handy timeline of events behind today’s judgement. ®