Facebook and Max Schrems back in court again, both pissed off at Ireland's data regulator

If you had made a decision in 2013, we wouldn't all be here


The Irish Data Protection Commission (DPC) copped the blame from witnesses in the European Court of Justice yesterday over its role in the Facebook case concerning the transfer of data to the US from its Irish subsidiary.

Back in 2013, privacy activist Max Schrems asked the regulator whether Facebook sending his data to the US was in breach of European data protection law. Six years later, we are getting closer to answer.

The case goes beyond the so-called "Privacy Shield" – the legal fig leaf introduced after Schrems convinced the European Court of Justice to strike out the previous Safe Harbor agreement to grease data transfers between the EU and US.

The court in Luxembourg is also considering whether "standard contractual clauses (SCCs)" are sufficient protection for consumers, and asked why the Irish regulator could not make its own ruling on the legal data transfer terms. SCCs are used worldwide to facilitate data transfers.

Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum, said: "The hearing today has more at stake than the first Schrems/EU-US Safe Harbor case because this time around it may impact international data transfers not only from the EU to the US, but from the EU to the entire world where standard contractual clauses are relied upon.

"At the same time, the successor of the Safe Harbor, the EU-US Privacy Shield, is also on the table."

Instead of making a ruling on Schrem's complaint back in 2013, the regulator asked an Irish court whether the clauses provided enough protection for consumers. After lengthy legal toing and froing, the issue was sent to Luxembourg for an ECJ decision.

It was this passing of the buck that several witnesses took issue with.

Facebook's lawyer warned that striking out SCCs would have a serious impact on world trade.

The court also heard from the Business Software Alliance, the European Commission and the Electronic Privacy Information Center as well as lawyers for Max Schrems, the US government and the Irish DPC.

In fact, this seems to have united both sides – Facebook and Schrems both seem to believe that SCCs should be adequate to solve the impasse.

Complainant Max Schrems, chairperson of noyb, a pressure group which uses litigation to improve privacy practises, said in a statement:

"We are proposing a measured solution: The Irish DPC must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over. This case has been pending for six years. Over these six years, the DPC has actually decided in a mere 2-3 per cent of the cases that were brought before it. We don't have a problem with 'Standard Contractual Clauses', we have a problem with enforcement."

The case does not cover all data transfers to the US. The complaint was made against Facebook because it was named by Edward Snowden as complying with mass-surveillance schemes like PRISM. It is this mass-processing which is under investigation.

The court will release a non-binding opinion on 12 December this year followed by a full decision early in 2020.

Schrems' backgrounder to the case is here (PDF) and a useful summary of the day's events from the International Association of Privacy Personnel can be found here.

Given the complexity of the legal issues under consideration, few lawyers are risking making bets either way. It could be that the court rules it is up to Ireland's DPC to decide and kicks the can back to Dublin for a decision.

The DPC told The Reg that it "does not at this time have any statement regarding yesterday’s CJEU hearing concerning Standard Contractual Clauses and the matter remains before the Court." ®

Narrower topics


Other stories you might like

  • Meta agrees to tweak ad system after US govt brands it discriminatory
    And pay the tiniest of fines, too

    Facebook parent Meta has settled a complaint brought by the US government, which alleged the internet giant's machine-learning algorithms broke the law by blocking certain users from seeing online real-estate adverts based on their nationality, race, religion, sex, and marital status.

    Specifically, Meta violated America's Fair Housing Act, which protects people looking to buy or rent properties from discrimination, it was claimed; it is illegal for homeowners to refuse to sell or rent their houses or advertise homes to specific demographics, and to evict tenants based on their demographics.

    This week, prosecutors sued Meta in New York City, alleging the mega-corp's algorithms discriminated against users on Facebook by unfairly targeting people with housing ads based on their "race, color, religion, sex, disability, familial status, and national origin."

    Continue reading
  • Metaverse progress update: Some VR headset prototypes nowhere near shipping
    But when it does work, bet you'll fall over yourselves to blow ten large on designer clobber for your avy

    Facebook owner Meta's pivot to the metaverse is drawing significant amounts of resources: not just billions in case, but time. The tech giant has demonstrated some prototype virtual-reality headsets that aren't close to shipping and highlight some of the challenges that must be overcome.

    The metaverse is CEO Mark Zuckerberg's grand idea of connected virtual worlds in which people can interact, play, shop, and work. For instance, inhabitants will be able to create avatars to represent themselves, wearing clothes bought using actual money – with designer gear going for five figures.

    Apropos of nothing, Meta COO Sheryl Sandberg is leaving the biz.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022