By DANICA KIRKA
LONDON (AP) — The European Court of Justice has been asked to consider whether Facebook’s Dublin-based subsidiary can legally transfer users’ personal data to its U.S. parent, after Ireland’s top court said Tuesday that there are “well-founded concerns” the practice violates European law.
In a case brought after former U.S. defense contractor Edward Snowden revealed the extent of electronic surveillance by American security agencies, the court found that Facebook’s transfers may compromise the data of European citizens.
The case has far-reaching implications for social media companies and others who move large amounts of data via the internet. Facebook’s European subsidiary regularly does so.
Ireland’s data commissioner had already issued a preliminary decision that such transfers may be illegal because agreements between Facebook and its Irish subsidiary don’t adequately protect the privacy of European citizens. The commissioner asked the High Court to refer this finding to the European Court of Justice because the data sharing agreements had been approved by the European Union’s executive Commission.
Ireland’s data commissioner “has raised well-founded concerns that there is an absence of an effective remedy in U.S. law . for an EU citizen whose data are transferred to the U.S. where they may be at risk of being accessed and processed by U.S. state agencies for national security purposes in a manner incompatible” with the EU’s Charter of Fundamental Rights, the High Court said Tuesday.
Austrian privacy campaigner Maximillian Schrems, who has a Facebook account, challenged this practice through the Irish courts because of concerns that his data was being illegally accessed by U.S security agencies.
In an earlier ruling in the case, the European Court of Justice found that the so-called Safe Harbor regime, which Facebook previously relied on when transferring data to the U.S., violated EU law because it didn’t provide effective legal remedies. The Safe Harbor regime had been established in 2000 by the EU executive Commission, which found that U.S. data protection laws were adequate to protect the rights of EU citizens.
The Irish Data Commissioner decided to seek judicial review of standard contractual clauses in part because of “the very significant commercial implications arising from the value of data exchanges to EU-U.S. trading relationships.”
The U.S. government and three other parties were allowed to file friend of the court briefs in the case. The others are the BSA Business Software Alliance, a trade association whose members include Apple, Microsoft and Intel; Digital Europe, which represents the region’s digital technology industry; and the Electronic Privacy Information Center, a U.S. civil liberties group.