Irish data cops kick Max Schrems' latest Facebook complaint up to EU Court
Safe Harbor's dead, now DPC wants contract clauses decision
The Irish Data Protection Commissioner has referred Max Schrems' original complaint to the EU Court of Justice to determine if Facebook's transfers of personal data from the EU to the US is legal.
Transatlantic data sharing has come under tight scrutiny following the collapse of the Safe Harbor agreement after a Court of Justice of the EU (CJEU) ruling in favour of Schrems last year.
The Irish DPC told The Register: “We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”
The CJEU ruling against Safe Harbor mainly related to mass surveillance conducted by the US NSA, whose PRISM snooping programme allowed them access to EU citizens' personal data collected by US corporations.
While governments, under EU regulations, are required to provide a means of redress to citizens who believe their rights have been infringed by the spooks, such applications cannot be submitted to anyone in the United States.
As The Register reported, despite the CJEU's declaration of the incompatibility of the EU and US data protection regimes, the American corporations, who do so love shipping bytes across the Atlantic, simply shrugged.
Almost immediately companies such as Facebook, Microsoft, and Salesforce invoked "model contracts" which they claimed allowed customers to practically ignore the judgment.
Schrems, the campaigner who brought down Safe Harbor, said that "model contracts" pose "a very serious issue for the US tech industry and EU – US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right."
I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don't see now there could be a solution.
A copy of Facebook's "Model Clauses" contract (PDF) provided by Schrems does not, however provide any means of redress for EU citizens whose rights may be violated by US mass surveillance.
A Facebook spokesperson told The Register: "Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in [the EU]."
"While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contract Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries," the spokesperson concluded. ®
Sponsored: Becoming a Pragmatic Security Leader