In June 2013, Schrems complained to the Irish DPC on Facebook’s practice of transferring personal data of users to its parent company in the US. Schrems made these complaints following the widespread revelations that the US National Security Agency (‘NSA’) had been monitoring personal data of Facebook users.
The Safe Harbour principles allowed US companies to effectively self-certify that they met EU standards in terms of processing and securing data. Once a US company was on the Safe Harbour list then the data could be transferred. This allowed the transfer to fall under an exception in the EU Data Protection Directive. Transfers outside the EU are prohibited unless the country to which the data is being transferred provides an adequate level of protection for the data. Safe Harbour was deemed to fulfill this requirement of an adequate level of protection. This made data transfers easy and meant that significant amounts of data were constantly on the move. It’s estimated that over 4,000 companies availed of the Safe Harbour exemption.
However, once that personal data was transferred it fell under the remit of US national security laws and could be intercepted and monitored. In other words, Big Brother was watching, despite the EU data protection principles. Schrems asked the DPC to intervene to prevent Facebook’s Irish company from transferring his data to its US parent. The DPC refused to intervene and referred to the fact that the EU Commission had approved the Safe Harbour framework. Schrems took this to the Irish High Court and the High Court referred the questions raised to the European Court of Justice (CJEU). Schrems got his satisfaction in October this year when the CJEU found that the original Commission decision permitting the Safe Harbour framework was invalid due to the fact that the supremacy of national security laws in the US over privacy meant that the adequate level of protection to be provided was completely overridden. This meant the issue was sent back to the High Court in Ireland. The High Court has ordered the Irish Data Protection Commissioner to re-examine and investigate Schrems' original complaint against Facebook.
Schrems won't allow delay to get in his way and has vowed to take all legal steps necessary to progress the matter. The Weltimmo decision puts a further spanner in the works and Schrems has now joined the Belgian and German DPCs to his cause to pressure Irish officials. Ireland may now longer be a Facebook haven.
For more information check out our further articles dealing with this issue:
In a revised complaint to the DPC, filed on Wednesday, Mr Schrems has called in data protection officers from Germany and Belgium to crack the whip on his four-year legal battle in Ireland against Facebook. He has also stepped up his pressure on the Irish DPC, Helen Dixon, to act swiftly, warning of “personal criminal consequences” under common law should she “wilfully fail to perform” her duties.