February 20, 2017 A landmark case concerning the transfer of personal data by Facebook from the EU to the US began in Dublin on 7 February.
Ireland's data protection commissioner (DPC), who has jurisdiction over Facebook as its European headquarters are in Dublin is asking the High Court to refer the case to the Court of Justice of the European Union (CJEU) to determine the validity of the European Commission’s decision to approve the standard contractual clauses (SCC) used by Facebook and other companies.
The case began in 2013 when Austrian law student Max Schrems made a complaint to the DPC about Facebook’s handling of his personal data in the U.S. The complaint led to the CJEU ruling that the Safe Harbour Agreement (governing the flow of personal data between the EU and the US) was invalid as the privacy of EU citizens personal data could not be guaranteed in the U.S.
Following the invalidation of the Safe Harbour Agreement, Facebook and other companies switched to using standard contractual clauses (SCC) to transfer personal data between Europe and the U.S.
Schrems then made a second complaint to the DPC about the validity of the SCC for several reasons including the fact that they offered no access to a legal remedy for victims in the event of a breach of data privacy rights in the U.S. The DPC found Schrem’s complaint well founded and is therefore asking the High Court in Dublin to refer the case to the CJEU to rule on the validity of the European Commission’s decision to approve the SCC.
The case is important as the focus on data privacy has grown since the Wikileaks revelations in 2013. It could have huge implications not only for the rights of EU citizens but also for EU/US trade.
Facebook have criticised the challenge arguing that if the SCC are ultimately invalidated, many businesses would be unable to carry out their day to day activities including transferring personal data such as credit card details outside of the EU.
The case is due to last for approximately three weeks.