In May 2021, Ireland’s High Court rejected an action by Facebook to block an inquiry by the Irish data regulator, the Irish Data Protection Commissioner (DPC), that could result in Facebook’s data flows from the European Union to the United States being halted.

In August 2020, the Irish Data Protection Commissioner issued a Preliminary Draft Decision against Facebook which led to the initiation of an in-depth inquiry of Facebook’s data transfers. The DPC then issued a provisional order stating that the main mechanism used by Facebook to transfer EU data to the United States was not fit for use in practice and infringed the EU GDPR.

Facebook had challenged both the inquiry and the Preliminary Draft Decision on procedural grounds, arguing that the DPC had drawn its conclusions too quickly and without access to sufficient evidence from Facebook, therefore denying the company of its right to fair procedures. Facebook stated that the preliminary decision threatened "devastating" and "irreversible" consequences for its business, which relies on processing user data to serve targeted online advertisements.

Background

The case stems from widespread European concerns that United States government surveillance may not respect the privacy rights of EU citizens when their personal data is sent to the United States for commercial use.

This Irish High Court’s decision is in response to an action originally brought by Austrian privacy advocate Maximilian Schrems, who called for the Irish DP Commissioner to invalidate the European Commission’s Standard Contractual Clauses (SCC) for Facebook’s use of transferring personal data to its headquarters in the United States. Schrems argued in the Court of Justice of the European Union (CJEU) that the personal data being transferred on the basis of the SCCs could be accessed by United States intelligence agencies therefore violating his fundamental rights under GDPR, and more generally, under EU law.

In July 2020, the CJEU issued its judgement on the action brought by Schrems and decided that one of the mechanisms for transferring data from the EU to the United States, known as the EU-US Privacy Shield should be entirely invalidated. However, the CJEU held that the SCCs remained valid but should only be used under strict conditions. This judgement of the CJEU, widely known as the “Schrems II” decision, ultimately restricted how companies like Facebook could send European citizens’ personal information to the United States, because it found that European citizens had no effective way to challenge US government surveillance.

As a result of the CJEU ruling, the Irish Data Protection Commissioner launched its investigation into the EU-US data transfers facilitated by Facebook and which ultimately led to the decision in May 2021. The Irish High Court ruling can be considered as the first significant step EU regulators have taken to enforce the Schrems II decision.

What could this mean for Facebook?

The Irish High Court’s rejection of Facebook’s attempts to stop an inquiry into its data transfers means that the investigation by the Irish DPC will now resume with a view to deciding whether to ultimately enforce their Preliminary Draft Decision. Facebook have an opportunity to respond to the Preliminary Draft Decision within 21 days of the resumption of the enquiry.

If the Irish data regulator enforces the provisional order, it would likely result in Facebook having to halt personal data transfers from the EU to the US, at least temporarily while it re-engineers its service to exclude data it collects from European users.

Comment

The decision from the Irish High Court and the underlying consequences of the judgement are central to trans-Atlantic trade and the digital economy. The implementation of the Irish DPC’s Preliminary Draft Decision would inevitably have an effect on trans-Atlantic data flows for other companies that are subject to US surveillance laws and could potentially lead to widespread disruption of EU-US data transfers. The decision would effectively end the privileged access that companies in the United States have to personal data from Europe and could potentially result in billions of dollars lost for businesses in the digital economy that are reliant on such data flows.

The inquiry and ultimate decision made by the Irish DPC may lead the way in terms of EU privacy enforcement and are therefore, being closely monitored by a number of other large tech companies such as Google, Twitter and Apple, all of which have their European headquarters in Ireland. So watch this space.

This article was co-written by Clare Tuohy.