naito8 - stock.adobe.com

Facebook takes legal action against Irish privacy watchdog

Facebook’s legal action against the Data Protection Commission will attempt to preserve the company’s ability to transfer European citizens’ data to the US despite its lower privacy protections

Sebastian  Klovig Skelton
By
  • Sebastian Klovig Skelton , Reporter

Facebook is seeking a judicial review against the Irish Data Protection Commission (DPC) after receiving a preliminary order from the privacy watchdog to suspend its data transfers to the US.

The social media giant lodged the papers ex parte in the Irish High Court on 10 September, which will now be asked to test the validity and legality of the DPC’s preliminary ruling that Standard Contractual Clauses (SCCs) cannot be used as the mechanism for transatlantic data transfers.

The European Court of Justice (ECJ) brought the legality of SCCs into question when it ruled to strike down the Privacy Shield agreement in July, on the basis that it failed to ensure European citizens adequate right of redress when data is collected by US intelligence services.

Although the ECJ found SCCs were still legally valid, it ruled that companies have a responsibility to ensure those they shared the data with granted privacy protections equivalent to those contained in EU law.

Austrian lawyer Max Schrems, who initiated the legal proceedings that led to the ECJ’s landmark decision (colloquially known as Schrems II), tweeted that Facebook’s decision to seek a judicial review “shows (a) how they will use every opportunity to block a case, even before there is a decision, and (b) how it is wholly illusionary to get such a case through in a couple of weeks or months in the Irish legal system”.

Both NOYB and Facebook were approached for comment but failed to respond by the time of publication.

When approached about Facebook’s decision to seek a judicial review, the DPC told Computer Weekly it would not be commenting at this time.

Further legal action against the DPC

According to Schrems, his digital rights not-for-profit NOYB was not informed of the DPC’s decision to issue the preliminary order, which has now effectively paused the procedure of an ongoing complaint he said the regulator has already failed to act on for seven years.

For this reason, NOYB has informed the DPC of its plans to file an interlocutory injunction for its “mismanagement” of the Facebook case.

“This limited case by the DPC is especially interesting, as Facebook has indicated in a letter from 19 August 2020 that (after the end of Safe Harbor, Privacy Shield and the SCCs) it is now relying on a fourth legal basis for data transfers: the alleged ‘necessity’ to outsource processing to the US under the contract with its users,” it said.

“This means that any ‘preliminary order’ or ‘second investigation’ by the DPC on the SCCs alone will, in fact, not stop Facebook from arguing that its EU-US data transfers continue to be legal. In practice Article 49 (1b), GDPR may be an appropriate legal basis for very limited data transfers (for example, when an EU user is sending a message to a US user), but cannot be used to outsource all data processing to the US,” said Schrems.

“We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld – no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table.”

Read more about data privacy

According to an FAQ on the Schrems II judgment released by the European Data Protection Board (EDPB) on 23 July 2020, whether or not a company can transfer based on SCCs will depend on the results of their assessments, which have to take into account the circumstances of the transfer and any supplementary measures that cold be put in place.

“The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that US law does not impinge on the adequate level of protection they guarantee,” it said.

“If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory ity.”

It added that, with regard to the necessity of transfers for the performance of a contract, companies should bear in mind that personal data can only be transferred when it’s done so ‘occasionally’.

It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”, it said.

“In any case, this derogation [of GDPR’s Article 49] can only be relied upon when the transfer is objectively necessary for the performance of the contract.”

Content Continues Below

Read more on Social media technology

Start the conversation

Send me notifications when other members comment.

SearchCIO

  • 5 ways to keep developers happy so they deliver great CX

    Companies need to work on ensuring their developers are satisfied with their jobs and how they're treated, otherwise it'll be ...

  • Link software development to measured business value creation

    Companies must balance customer needs against potential risks during software development to ensure they aren't ignoring security...

  • 5 digital transformation success factors for 2021

    With the right planning, leadership and skills, companies can use digital transformation to drive improved revenues and customer ...

SearchSecurity

  • 8 benefits of a security operations center

    A security operations center can help lessen the fallout of a data breach, but its business benefits go much further than that. ...

  • Weighing remote browser isolation benefits and drawbacks

    Remote browser isolation benefits end-user experience and an organization's network security. Compare the pros, cons and cost ...

  • Compare 5 SecOps certifications and training courses

    Explore five SecOps certifications available to IT professionals looking to demonstrate and enhance their knowledge of threat ...

SearchNetworking

  • Network pros share Cisco DevNet certification advice

    Cisco DevNet certifications require a lot of time investment, but network pros who pursue the certifications say the gained ...

  • Cloud automation use cases for managing and troubleshooting

    Cloud automation use cases highlight the benefits these tools can provide to companies evaluating how best to manage and ...

  • A look inside the official Cisco DEVASC 200-901 guidebook

    In this book excerpt, readers can explore the Cisco DEVASC 200-901 official guide and get a flavor of one of Cisco's newest exams...

SearchDataCenter

  • Avoid server overheating with ASHRAE data center guidelines

    Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what ...

  • Hidden colocation cost drivers to look out for in 2021

    These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.

  • 5 ways a remote hands data center ensures colocation success

    Off-site hardware upkeep can be tricky and time-consuming. With remote hands options, your admins can delegate routine ...

SearchDataManagement

  • Ataccama automates data governance with Gen2 platform update

    Data management vendor Ataccama adds new automation features to its Gen2 platform to help organizations automatically discover ...

  • IBM to deliver refurbished Db2 for the AI and cloud era

    IBM has a tuned-up version of Db2 planned, featuring a handful of AI and machine learning capabilities to make it easier for ...

  • Fauna improves data API collaboration and security

    A database company founded by former Twitter engineers is pushing forward its vision of a way to consume database as a service ...

Close