Irish Data Protection Commissioner to evaluate whether Facebook’s data transfer to the US complies with EU privacy rules

On October 20, 2015, the Irish Data Protection Commission declared that it will proceed to investigateIrish_flag the substance of the complaint brought by Schrems against Facebook “with all due diligence” after the European Court of Justice held the Safe Harbor Decision invalid.

The investigation will commence under section 10 of the Irish Data Protection Act and it will verify, among other requirements, whether data subjects gave consent to the transfer, and whether US ensures an adequate privacy protection.

According to a statement released on October 6, 2015, the Irish Data Protection Commission will immediately engage with the other national supervisory authorities across Europe “to determine how the judgement can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”

According to this source, Judge Hogan of the Irish High Court – who awarded the legal costs to Schrems – “declined to make an order directing that the DPC conduct an investigation as they already said they would do so with all due speed”.

 

 

Background. In June 2013, Schrems had complained before the Irish Data Protection Authority that Facebook was transferring data outside the European Economic Area without respecting the EU data protection provisions. The Irish DPA refused to order Facebook Ireland to stop transfer data to its parent company in the United States. It considered that “it was statutorily bound to accept that a transfer of subscriber data by Facebook Ireland to Facebook Inc., undertaken under and in accordance with the Safe Harbor Privacy Principles and FAQs, is lawful, and remains lawful even where such data is accessed by national security authorities in the United States “.

In June 2014, Schrems sued the Irish Data Protection Commissioner before the Irish High Court. Case 2013 765 JR, see here.

On June 18, 2014, the Irish High Court referred to the EU Court of Justice a number of questions concerning the application of the Safe Harbor principles regarding cross-border transfer of private data, the key issue being whether national judges are “absolutely bound” by a company’s declaration to participate in the Safe Harbor, or whether they could still conduct their own investigations to determine if personal data are protected according to EU standards.

On October 6, 2015, the EU Court of Justice considered the Safe Harbor decision invalid, and it held that Member States’ supervisory authority are not prevented from examining the claim of a person concerning the protection of his rights in regard to the processing of personal data from a Member State to a third country, “when that person contends that the law and practices in force  the third country do not ensure an adequate level of protection”. See here.

 

More information on case C-362/14, Maximilian Schrems v Data Protection Commissioner’s case, is available at http://www.technethics.com…

 

For more information, Francesca Giannoni-Crystal

Follow us on& Like us on