Ireland’s High Court on Tuesday (20 October) ordered an investigation into Facebook’s transfer of European Union users’ data to the United States, to make sure personal privacy was properly protected.
The court told the Irish Data Protection Commissioner to investigate following the landmark ruling by the European Court of Justice (ECJ) on 6 October, which struck down the Safe Harbour agreement that had allowed the free transfer of data between the European Union and the United States.
Both the ECJ decision and Tuesday’s ruling were the result of a challenge by Austrian law student Max Schrems, lodged after revelations in 2013 of the US government’s Prism programme, which allowed authorities to harvest private information directly from big tech firms like Facebook and Google.
The initial challenge was made in Ireland because Facebook has its European headquarters in Dublin and is regulated by the Irish Data Protection Commissioner. Tuesday’s ruling overturns the commissioner’s initial refusal to investigate.
“My client will now investigate the matter […] with all appropriate diligence,” Paul Anthony McDermott, lawyer for the Irish Data Protection Commissioner (DPC) told the High Court in Dublin. The judge awarded costs to Schrems.
Facebook will “constructively engage” with any investigation, its barrister Rossa Fanning told the court.
The ECJ ruling has thousands of US and European companies mired in legal uncertainty over the transfer of personal data from Europe to the United States. That includes payroll and human resources information as well as data used for online advertising, which is of particular importance to tech firms.
Under EU data protection law, companies cannot transfer EU citizens’ personal data to countries outside the bloc deemed to have insufficient privacy safeguards.
Facebook has repeatedly denied providing the US National Security Agency with ‘backdoor’ access to its servers, and says its data transfer processes have already been audited by the Irish Data Protection Commissioner.