Facebook fails to stop Europe’s top court weighing in on EU-US data transfers
Ireland’s Supreme Court unanimously refused its request to appeal the decision Friday, via Reuters.
Irish law does not include a provision to appeal against referrals to the CJEU but Facebook sought to both stay and appeal the decision anyway.
It was denied the stay but granted leave to appeal last year only for the Supreme Court to extinguish its hope of preventing Europe’s top judges from weighing in on privacy concerns attached to key data transfer mechanisms which are used by thousands of companies to authorize flows of EU citizens’ personal data to the US.
The case originates in a complaint against Facebook’s use of another data transfer mechanism, Standard Contractual Clauses (SCCs), by lawyer and EU privacy campaigner, Max Schrems .
He famously brought down the prior EU-US data transfer arrangement, Safe Harbor after successfully challenging its legality in the wake of NSA whistleblower Edward Snowden’s 2013 disclosures about US government mass surveillance programs. (Hence this follow-on challenge being referred to as ‘Schrems II‘.)
“Facebook likely again invested millions to stop this case from progressing. It is good to see that the Supreme Court has not followed Facebook’s arguments that were in total denial of all existing findings so far,” said Schrems in a statement responding to the Supreme Court’s rejection of Facebook’s appeal. “We are now looking forward to the hearing at the Court of Justice in Luxembourg next month.”
Also commenting in a statement, a Facebook spokesperson said: “We are grateful for the consideration of the Irish Court and look ahead to the Court of Justice of the European Union to now decide on these complex questions. Standard Contract Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and are used by thousands of companies across Europe to do business.”
Schrems’ complaint to the Irish data protection regulator led, rather unusually, to the watchdog to itself refer privacy concerns to the courts — which then widened the complaint, asking for the CJEU’s opinion on a range of fine-grained points around whether EU citizens’ rights are being adequately protected by both Privacy Shield and SCCs.
It’s shaping up as to be a replay of the close CJEU scrutiny that skewered Safe Harbor a definitive strike down that instantly left thousands of companies scrambling to put in place alternative legal arrangements to avoid illegally processing EU citizens’ data.
At the time of writing there are 4,756 organizations signed up to the replacement Privacy Shield framework.
The European data protection landscape has also evolved since 2015 with the General Data Protection Regulation (GDPR) ramping up the size of potential fines for privacy violations.
SCCs were one of the alternative mechanisms the European Commission suggested companies use in the interim between Safe Harbor’s demise in fall 2015, and Privacy Shield getting up and running, in mid 2016, although they too are now facing legal questions, per the Schrems II case.
During renegotiations and since, the European Commission has always maintained that the Privacy Shield framework which bakes in an annual review, and makes provision for an ombudsperson to handle any EU citizens’ complaints about how US companies handle their data is more robust than its predecessor mechanism, claiming too that it is confident it will survive legal testing.