Schrems' Facebook case edges closer to ruling over EU-US data flows

Irish court issues questions to top Euro judges in long-running scrap between privacy activist and Facebook

Max Schrems’ battle to turn off Facebook’s trans-Atlantic data flows has crawled one step closer, as the Irish High Court today issued the EU's top court with a set of questions to rule on.

The privacy activist’s multi-year slog began when he brought a complaint against Facebook's mass data slurping, in light of Edward Snowden’s revelations about the extent of bulk data collection by the US government.

That 2013 complaint, to the Irish Data Protection Commissioner (Facebook has its European HQ in the nation), has since been bounced back and forth between the Irish High Court and the Court of Justice of the European Union.

The Irish court’s first referral of DPC v Facebook Ireland and Maximillian Schrems* up to the European court saw the CJEU overturn the Safe Harbor deal that allowed businesses - including Facebook - to move data from the EU to the US, despite the latter’s less stringent data protection laws.

Although a major victory, the case has continued, shifting focus to the standard contractural clauses (SCCs) that Facebook, and many other businesses, started relying on after Safe Harbor was proclaimed dead in the water.

The question now facing the Irish High Court is whether these SCCs ensure proper protection for EU citizens’ data, in line with those set out in EU laws and the Charter of Fundamental Rights.

In a judgment issued last October, the High Court held that US surveillance law allows “mass processing” of personal data, and that the DPC had “well founded concerns” as to whether there is an effective remedy for EU citizens under US law.

However, it said it would need to refer a number of questions up to the CJEU - and has today issued these questions (PDF), bringing the case one step closer to closure. Schrems said he was hopeful that the CJEU would be able to deal with the issue “once and forever”.

Broadly, the questions aim to ascertain how much protection EU citizens’ whose data is transferred using SCCs should be afforded, which US laws should be used to assess these protections, and whether and how it relates to Privacy Shield, the successor to Safe Harbor.

For instance, the court asks if the provision of an ombudsperson under the Privacy Shield deal provides a remedy to people whose data is transferred to the US under SCCs.

Elsewhere, the Irish court also asks how a data protection agency is required to respond if a company importing data is subject to surveillance laws that it believes conflicts with EU data protection laws, the Charter or the SCC agreement.

Would it be required to use enforcement powers to suspend data flows, the court asks, or is the exercise of these powers limited to exceptional cases only; or can a DPA use its discretion not to suspend data flows?

Commenting on the possible outcome of the case, Schrems said that, in light of the Irish High Court's ruling that US surveillance laws allow for “mass processing” of data: "The question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-US data transfers."

He added that, in the long-term, “the only reasonable solution is to cut back on mass surveillance laws”.

If such a solution isn’t available between the EU and US, he said, “Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation”.

However, Schrems also noted that he would like the CJEU to opt for a "targeted solution" that he argued the law would allow for.

This would only limit data transfer to companies that fall under a US surveillance law, he said. On the other hand, scrapping SCCs full-stop would have “very problematic consequences for many US and EU industry sectors that have nothing to do with surveillance”. ®

* Why the case name looks so weird: The case has taken an unusual route, with the DPC asking the commercial division of Irish High Court to refer the question up to the CJEU - and naming Facebook Ireland and Schrems as defendants in the proceedings.

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022