Specialist Lawyer Says Businesses Still Lack Practical Guidance

The Data Protection Commission (DPC) in Ireland is to investigate Facebook’s data transfers to the US following a landmark ruling earlier this month by the European Court of Justice (ECJ).

The ECJ ruled that the Safe Harbour agreement - a popular process which enables companies to send data from the EU to the US  - was invalid.

The case was brought about by privacy campaigner Max Schrems following the Snowden revelations.  Mr Schrems had a Facebook account with the European arm of Facebook, headquartered in Ireland.  Facebook shared data with its US counterpart and Schrems objected as he was concerned that US security services would get access to his personal data.  He requested that the Irish Data Protection Commission audit material that Facebook might be passing on.

The DPC initially declined to do this because it said that the export of the personal data was permissible under Safe Harbour.  The matter therefore went to the ECJ with Schrems arguing that since Facebook data was subject to mass surveillance by US intelligence agencies, Safe Harbour did not offer an adequate level of protection.

After having said that it will not look into the matter, it told the High Court in Dublin today that it will carry out an investigation.

Expert Opinion

“Businesses are still no clearer than they were when the ECJ last week declared that the EU-US Safe Harbour agreement is invalid. There are still no practical alternatives and indeed the Commission’s immediate solution for businesses to use the model contractual clauses just doesn’t work logically. If Safe Harbour is invalid because the US security services can access the data, it is hard to see how using model contractual clauses will be a long term solution because surely the security services will also be able to access data provided under the clauses.” Joanne Bone - Partner