Out-Law / Your Daily Need-To-Know

Facebook pledges to respond to Irish safe harbour questions

Out-Law News | 21 Oct 2015 | 5:20 pm | 1 min. read

Facebook is prepared to answer any enquiries from the Irish Data Protection Commission on the transfer of personal data, it said today. 

The social media company had offered to formally join judicial review proceedings at the High Court in Dublin over the way Ireland's data protection commissioner (DPC) handled concerns about its data transfer arrangements, although this turned out to be unnecessary, it said.

Earlier this month Court of Justice of the EU (CJEU) ruled that the 'safe harbour' framework for EU-US data transfers currently used by Facebook, along with many other companies, is "invalid".

The CJEU's judgment came in a case referred to it from the High Court in Dublin. The Irish court has been reviewing a complaint raised by Austrian privacy advocate Maximillian Schrems about the way Ireland's DPC handled his privacy concerns over Facebook. It will now continue its review, following the CJEU decision.

Facebook requested to join the proceedings if the judge was planning to issue a substantive judgment in this matter, it said in an emailed statement to Out-Law.com. However, the judge issued a decision to 'quash and remit', and will not seek further information from the parties involved, so there is no need for Facebook to formally join the proceedings, the company said.

"Facebook is not and has never been part of any program to give the US government direct access to our servers. We will respond to enquiries from the Irish Data Protection Commission as they examine the protections for the transfer of personal data under applicable law," a Facebook spokesperson said.

The Safe Harbour decision from the CJEU "does not relate to the facts of Facebook's arrangements for transferring data" and "there is no suggestion that Facebook is operating unlawfully", Facebook said in its statement.

The Article 29 Working Party, the advisory body comprising representatives from each of the 28 EU data protection authorities, has responded to the CJEU ruling by calling for EU member states and institutions to open discussions with US authorities to find solutions to allow data transfers from the EU to the US by the end of January.

EU regulators "consider that it is absolutely necessary to have a robust, collective and common position on the implementation on the judgment", the working group said.

Until a new agreement is reached, companies can continue to use standard contractual clauses and binding corporate rules, other recognised ways of transferring data to non-EU countries, to provide protection for subjects of data collection and transfer, Article 29 said.