Facebook Loses Challenge to Irish Watchdog’s Data Curbs
(Bloomberg) -- Facebook Inc. lost a court fight over an initial order from a European Union privacy watchdog threatening its transfers of users’ data across the Atlantic.
An Irish court on Friday rejected the social network’s challenge, saying it didn’t establish “any basis” for calling into question the Irish Data Protection Commission’s decision.
The dispute is part of the fallout from July’s shock decision at the EU’s Court of Justice, which toppled the so-called Privacy Shield, an EU-approved trans-Atlantic transfer tool, over fears citizens’ data isn’t safe once shipped to the U.S.
That EU court ruling was quickly followed by a preliminary order from the Irish authority telling Facebook it could no longer use an alternative tool, known as standard contractual clauses, to satisfy privacy rules when shipping data to the U.S.
Facebook then fought the Irish measures, urging watchdogs to “adopt a pragmatic and proportionate approach until a sustainable long-term solution can be reached.” If made permanent, the order would mean the company could no longer use so-called standard contractual clauses for data transfers, the most commonly used remaining method.
“Basically the court gave the Irish data protection authority a thumbs-up to continue an investigation, which could lead to a stop of data transfers,” said Joerg Hladjk, a lawyer with Jones Day in Brussels, who isn’t involved in the case.
Privacy campaigner Max Schrems has been complaining to the Irish watchdog that Facebook’s data transfers were no longer safe, because EU citizens’ data is at risk the moment it gets transferred to the U.S.
“Facebook lost on every ground” and failed in its attempts to “delay the Irish decision,” privacy campaigner Schrems said following Friday’s decision. “After eight years” the data protection commission “is now required to stop Facebook’s EU-U.S. data transfers, likely before summer.”
Facebook said the ruling was about the “process” followed by the Irish watchdog, whose preliminary order “could be damaging not only to Facebook, but also to users and other businesses.”
“The larger issue of how data can move around the world remains of significant importance to thousands of European and American businesses that connect customers, friends, family and employees across the Atlantic,” Facebook said in a statement. “Like other companies, we have followed European rules and rely on standard contractual clauses, and appropriate data safeguards, to provide a global service and connect people, businesses and charities.”
The Irish authority said it welcomed the ruling.
The Irish regulator is the main privacy authority for Facebook and many other U.S. tech giants that have their European bases in the EU nation, from Apple Inc. to Google. That means the final decision could also set the course for data transfers for many other companies under its purview.
EU data-protection watchdogs have been weighing a much tougher approach to data transfers since the July ruling, because it raised the bar for continued data flows outside the EU by demanding that data protection in other countries must be “essentially equivalent” to that in the bloc.
The controversy over data transfers stretches back even further, to 2013, when former contractor Edward Snowden exposed the extent of spying by the U.S. National Security Agency.
The EU has strict data protection rules in place since the General Data Protection Regulation took effect in 2018, empowering national regulators to levy penalties of as much as 4% of a company’s annual revenue for the most serious violations.
©2021 Bloomberg L.P.