Irish court hears case challenging transatlantic data transfers

After Safe Harbor, Ireland's privacy watchdog wants the Court of Justice of the EU to outlaw another data transfer mechanism

penny pritzker vera jourova privacy shield
Credit: European Commission via IDG News Service

Max Schrems' 2013 complaint to the Irish data protection commissioner over Facebook's handling of his personal information put him in an unusual position on Tuesday: He's a co-defendant, alongside Facebook, in a case before the High Court of Ireland.

The case concerns the standard contract clauses that Facebook and other companies relied on to legalize their export of European Union citizens' personal information to the U.S. for processing in the months after the Safe Harbor agreement was overturned.

The three-week hearing began Tuesday with representations from the data protection commissioner (DPC), which brought the case; Schrems and Facebook will get their turn next week.

Neither defendant risks any sanctions as a result of the hearing. The DPC says it joined them to the case merely to give them a chance to intervene: Its goal is to persuade the court to refer questions about the legality of the standard contract clauses to the Court of Justice of the European Union (CJEU).

It was just such a referral that led the CJEU to declare in October 2015 that the legal protection offered by Safe Harbor was inadequate under EU privacy law. That prompted a rush to adopt the other data transfer mechanisms the law allowed, including standard contract clauses approved by the European Commission.

After the CJEU made its ruling, Schrems reformulated his original complaint to the DPC to challenge Facebook's use of standard contract clauses to transfer his personal information to the U.S., leading to the case now before the court. The DPC believes the clauses do not provide adequate privacy protection, but only the CJEU can rule on such a matter.

Facebook is now registered under Privacy Shield, the new agreement that replaced Safe Harbor, and has no further need for standard contract clauses, But it sees defending them as important for the thousands of businesses that do use them.

"While there is no immediate impact for people or businesses who use our services, we are pleased to have the opportunity to provide input in this process. It is essential that the court has the opportunity to consider the full facts before it makes any decision that may impact the European economy," a Facebook spokeswoman said Tuesday.

The outcome may not matter to Facebook, but outlawing the clauses would be a small blow to Google, which on Monday bragged that customers of its cloud services could now rely on EU privacy regulators' approval of its standard contract clauses for their transatlantic data transfers.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Fix Windows 10 problems with these free Microsoft tools
Shop Tech Products at Amazon