Ireland’s data regulator can resume a probe that may trigger a ban on Facebook’s transatlantic data transfers, the High Court ruled on Friday, raising the prospect of a stoppage that the company warns would have a devastating impact on its business.
The case stems from EU concerns that U.S. government surveillance may not respect the privacy rights of EU citizens when their personal data is sent to the United States for commercial use.
Ireland’s Data Protection Commissioner (DPC), Facebook's lead regulator in the European Union, launched an inquiry in August and issued a provisional order that the main mechanism Facebook uses to transfer EU user data to the United States “cannot in practice be used.”
Facebook had challenged both the inquiry and the Preliminary Draft Decision, saying they threatened “devastating” and “irreversible” consequences for its business, which relies on processing user data to serve targeted online ads.
The High Court rejected the challenge on Friday.
While the decision does not trigger an immediate halt to data flows, Austrian privacy activist Max Schrems, who forced the Irish data regulator to act in a series of legal actions over the past eight years, said he believed the decision made it inevitable.
“After eight years, the DPC is now required to stop Facebook’s EU-U.S. data transfers, likely before summer,” he said.
A Facebook spokesman said the company looked forward to defending its compliance with EU data rules as the Irish regulator’s provisional order “could be damaging not only to Facebook, but also to users and other businesses.”
Privileged access
If the Irish data regulator enforces the provisional order, it would effectively end the privileged access companies in the United States have to personal data from Europe and put them on the same footing as companies in other nations outside the bloc.
The mechanism being questioned by the Irish regulator, the Standard Contractual Clause, was deemed valid by the European Court of Justice in a July decision.
But the Court of Justice also ruled that, under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection in other countries cannot be assured.
A lawyer for Facebook in December told the High Court that the Irish regulator’s draft decision, if implemented, “would have devastating consequences” for Facebook’s business, impacting Facebook’s 410 million active users in Europe, hit political groups and undermine freedom of speech.
Irish Data Protection Commissioner Helen Dixon in February said companies more broadly may face massive disruption to transatlantic data flows as a result of the European Court of Justice decision.
Commissioner Dixon’s office welcomed the decision on Friday, but declined further comment.
Meanwhile, Germany's lead data protection regulator for Facebook is banning the social network from processing personal data from WhatsApp users because it views the messaging app's new terms of use as illegal, it said on Tuesday.
The decision follows emergency proceedings opened by the regulator in the city-state of Hamburg last month after WhatsApp required users to consent to new terms or stop using the service.
"This order seeks to secure the rights and freedoms of the many millions of users who give their consent to the terms of use throughout Germany," Hamburg's data protection officer Johannes Caspar said.
"My objective is to prevent disadvantages and damages associated with such a black-box procedure."
Caspar, who leads domestic oversight of Facebook under Germany's federal system as its country office is in Hamburg, announced his decision before a May 15 deadline for consenting to WhatsApp's new terms.
WhatsApp, which is owned by Facebook, said the action by the Hamburg data protection authority rested on a fundamental misunderstanding of the purpose and effect of its update and therefore had no legitimate basis.
"As the Hamburg DPA's claims are wrong, the order will not impact the continued roll-out of the update. We remain fully committed to delivering secure and private communications for everyone," a WhatsApp spokesperson said.
The regulatory action has opened a new front in Germany over Facebook's privacy policies, with its national antitrust regulator waging a legal battle over data practices it says amount to an abuse of market dominance.
Since 2018, online privacy has been subject to a European Union rulebook, called the General Data Protection Regulation (GDPR). Under the GDPR, Ireland leads oversight of Facebook because the company's European headquarters is there.