Data transfer between the EU and US had come under fire in the Irish courts, due to a dispute in the clause Facebook Ireland uses to send data back to its international parent, Facebook US. EU data protection and privacy laws are among the strongest in the world, and as such, any data pertaining to EU citizens cannot be transferred outside Europe without strong assurances in place that the data will be processed under EU-compliant terms. While the US data protection laws are considered inadequate for European data, many international tech companies circumvent this using a model known as “standard contractual clauses”, whereby the parent company (Facebook US, in this example) enters into a contract with their EU subsidiary (Facebook Ireland) which pledges to meet the EU’s strict rules. Ireland is home to the European headquarters of 9 out of 10 of the of the world’s largest social media companies, and standard contractual clauses have been considered legally acceptable by the EU since 2001.
Ireland is home to 9/10 of the world’s largest social media companies (including Facebook), making it a crucial link between EU and US regulations.
This data transfer mechanism has now come under fire, as it is believed that the data is not being sufficiently protected once it is sent to the US. In particular, there are fears that EU citizen data is being accessed by US governmental agencies such as the NSA, which would constitute a clear breach of the agreement. The challenge to Facebook was brought by Austrian lawyer and privacy activist Max Schrems, who was responsible for another challenge to Facebook in 2015 that resulted in the European Court of Justice (ECJ) invalidating the “Safe Harbour” pact, another data transfer mechanism. Standard contractual clauses constitute an alternative means to Safe Harbour, and Schrems believes that it should be invalidated on the same grounds.
As Facebook’s European headquarters is based in Dublin, this case was lodged with the Irish high courts. The data protection authority of Ireland has said that sufficient protection is not being given to European citizens under this clause, as countries such as the US do not have adequate data protection laws. On October 3rd, Judge Caroline Costello ruled to refer the case directly to the ECJ, stating “European Union law guarantees a high level of protection to EU citizens. They are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area”. The high court will submit a series of questions to the ECJ in relation to the EU-US data transfer clauses once all parties have agreed on the wording.
However, the process has met some setbacks as it has proven difficult for all parties to agree on the phrasing of the questions. As it stands, the Information Commisioner, Facebook Ireland and Max Schrems will draft the wording, which must be finalised by the Irish court. However, other involved parties such as Digital Europe, the Business Software Alliance and the Electronic Privacy Centre are all eager to have their say.
Now, another party is seeking to have their say in the proceedings. The US government, represented by solicitor Eileen Barrington, has said that it is “critically important” that they are able to express their views and have them factored into the decision making process, particularly to ensure that the description of US law put forward is “factually accurate”. Barrington expressed concerns that the US government was not being treated as a party to the proceedings before the ECJ, despite the wide-reaching implications of such a case.
With the GDPR coming in May of 2015, EU data protection laws will be overhauled and standardised across the region, and finding ways for international business to continue in a secure manner will be of paramount importance.