Facebook is seeking a judicial review against the Irish Data Protection Commission (DPC) after receiving a preliminary order from the privacy watchdog to suspend its data transfers to the US.
The social media giant lodged the papers ex parte in the Irish High Court on 10 September, which will now be asked to test the validity and legality of the DPC’s preliminary ruling that Standard Contractual Clauses (SCCs) cannot be used as the mechanism for transatlantic data transfers.
The European Court of Justice (ECJ) brought the legality of SCCs into question when it ruled to strike down the Privacy Shield agreement in July, on the basis that it failed to ensure European citizens adequate right of redress when data is collected by US intelligence services.
Although the ECJ found SCCs were still legally valid, it ruled that companies have a responsibility to ensure those they shared the data with granted privacy protections equivalent to those contained in EU law.
Austrian lawyer Max Schrems, who initiated the legal proceedings that led to the ECJ’s landmark decision (colloquially known as Schrems II), tweeted that Facebook’s decision to seek a judicial review “shows (a) how they will use every opportunity to block a case, even before there is a decision, and (b) how it is wholly illusionary to get such a case through in a couple of weeks or months in the Irish legal system”.
Both NOYB and Facebook were approached for comment but failed to respond by the time of publication.
When approached about Facebook’s decision to seek a judicial review, the DPC told Computer Weekly it would not be commenting at this time.
Further legal action against the DPC
According to Schrems, his digital rights not-for-profit NOYB was not informed of the DPC’s decision to issue the preliminary order, which has now effectively paused the procedure of an ongoing complaint he said the regulator has already failed to act on for seven years.
For this reason, NOYB has informed the DPC of its plans to file an interlocutory injunction for its “mismanagement” of the Facebook case.
“This limited case by the DPC is especially interesting, as Facebook has indicated in a letter from 19 August 2020 that (after the end of Safe Harbor, Privacy Shield and the SCCs) it is now relying on a fourth legal basis for data transfers: the alleged ‘necessity’ to outsource processing to the US under the contract with its users,” it said.
“This means that any ‘preliminary order’ or ‘second investigation’ by the DPC on the SCCs alone will, in fact, not stop Facebook from arguing that its EU-US data transfers continue to be legal. In practice Article 49 (1b), GDPR may be an appropriate legal basis for very limited data transfers (for example, when an EU user is sending a message to a US user), but cannot be used to outsource all data processing to the US,” said Schrems.
“We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld – no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table.”
According to an FAQ on the Schrems II judgment released by the European Data Protection Board (EDPB) on 23 July 2020, whether or not a company can transfer based on SCCs will depend on the results of their assessments, which have to take into account the circumstances of the transfer and any supplementary measures that cold be put in place.
“The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that US law does not impinge on the adequate level of protection they guarantee,” it said.
“If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.”
It added that, with regard to the necessity of transfers for the performance of a contract, companies should bear in mind that personal data can only be transferred when it’s done so ‘occasionally’.
It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”, it said.
“In any case, this derogation [of GDPR’s Article 49] can only be relied upon when the transfer is objectively necessary for the performance of the contract.”