Court backs Irish regulator on Facebook data transfers inquiry

Out-Law News | 20 May 2021 | 4:36 pm | 2 min. read

The High Court in Ireland has dismissed a legal challenge brought by Facebook over plans outlined by the country’s data protection authority to open an investigation into the company’s arrangements for transferring personal data from the EU to the US.

Facebook had challenged the Data Protection Commission’s (DPC’s) draft decision to commence the inquiry and the procedures it had followed.

The High Court’s judgment, issued on 14 May, comes after the EU’s highest court had earlier become involved in the case. The Irish High Court in Ireland had previously referred several questions concerning the interpretation of EU law to the Court of Justice of the EU (CJEU) for its ruling. Those questions were focused around the adequacy of data protection provided by legal tools many businesses rely on for transferring personal data outside of the European Economic Area (EEA) in the course of their operations, including to the US.

The CJEU ruling cast doubt on the ability of businesses to rely on standard contractual clauses (SCCs) – the most popular mechanism for providing data protection law-compliant safeguarding around data transfers from the EU – for EU-US data transfers and for transfers to other jurisdictions with known invasive surveillance regimes, without countervailing safeguards in place for individuals whose data will be transferred. The judgment also effectively invalidated a European Commission decision to adopt the EU-US Privacy Shield – a framework which was set up to help businesses transfer personal data across the Atlantic in a way which complies with the requirements of EU data protection law.

The Irish court’s questions to the CJEU stemmed from an underlying dispute before it concerning the DPC’s handling of complaints raised about Facebook’s EU-US data transfer arrangements by digital and data rights campaigner Max Schrems. In a preliminary draft decision issued following the CJEU’s ruling in the so-called ‘Schrems II’ case, the DPC said that personal data should not be transferred out of the EU by Facebook Ireland to Facebook, Inc in the US.

In its ruling, the High Court found that Facebook had not established any basis for impugning the DPC’s decision to commence the inquiry or its preliminary draft decision on the suspension of data transfers to the US. In particular, the court ruled that the DPC had acted within the wide discretion afforded it by the Data Protection Act 2018 in Ireland and the General Data Protection Regulation (GDPR), and that the DPC’s approach had not violated Facebook’s rights to fair procedures.

The court rejected an argument by Facebook that the DPC had been guilty of a lack of candour, but it did accept that the DPC had been at times overly defensive with respect to the provision of information. The court was also critical of the DPC for maintaining an allegation that the proceedings were an abuse of process by Facebook until midway through the hearing of the matter.

The parties will shortly appear back before the High Court to make submissions on any issues arising from the judgment, including the final orders arising from the decision.