On the 3rd of October the Irish High Court agreed with the DPC, the Irish Data Protection Commission, regarding legality concerns about the channels Facebook uses to transfer data from EU member states to the US.
Facebook, like many other multinationals, is split up into separate companies: Facebook Inc. the parent company, registered in the US, and Facebook Ireland Ltd, registered in Ireland. In the above mentioned case Facebook is on trial for transporting data from European citizens, registered under Facebook Ireland Ltd, to the US based Facebook Inc.
Unknown to many European customers, storing European visitor data on servers based outside of the EEA falls underneath exporting “Personally Identifiable Information” and is prohibited since the invalidation of the US-EU Safe Harbor Agreement (European Commission, 2016).
Since this invalidation Facebook and others have moved on to different channels, so called SCCs (Standard Contractual Clauses). These SCCs are sets of contracts clauses issued by the European Commission in order to establish safeguards to allow for the transfer of personal data from the EU to countries outside of the EEA (McLellan & Hellmuth, 2015)
The Irish high court has now referred to the CJEU, Europe’s highest court, for a preliminary ruling on the validity of the SCC Decisions (Irish High Court rules on Facebook surveillance case, 2017).
In simple terms, Facebook Inc. is required to help the American government with mass surveillance and thus transfers European data to US servers, while EU law prohibits just these practices. As Facebook is registered in both Ireland and the US ,“they [Facebook] got themselves in a legal dilemma that they cannot possibly solve in the long run.” according to Max Schrems, plaintiff in the case.
Did you know that European data is prohibited to be transferred outside of Europe? Are you oké with your data being on US servers, to be spied on by the NSA? What do you think about these regional data protection limits?
Irish High Court rules on Facebook surveillance case. (2017). Retrieved from http://www.europe-v-facebook.org/sh2/PA.pdf
European Commission. (2016). EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield. Retrieved from http://europa.eu/rapid/press-release_IP-16-216_en.htm
McLellan, M., & Hellmuth, W. (2015). Safe Harbor Is Dead, Long Live Standard Contractual Clauses? | Data Privacy Monitor. Data Privacy Monitor. Retrieved 7 October 2017, from https://www.dataprivacymonitor.com/enforcement/safe-harbor-is-dead-long-live-standard-contractual-clauses/
Thanks for the informative article Martijn. I personally didn’t know about this EU law, but I’m glad its there since I would strongly prefer to not have my internet activity monitored by a country I have never even been to 🙂 I also think that this the latest example of the EU’s growing efforts in trying to tame the activities of the big American tech giants (Facebook, Google, Apple and Amazon). Up to now those effort has been mostly in the areas of tax and antitrust violations (https://www.nytimes.com/interactive/2015/04/13/technology/how-europe-is-going-after-us-tech-giants.html), but it is now expanding to other areas like the mentioned data privacy and content governance (e.g. fake news, hate speech, extremist material). For example, Germany has recently passed a law imposing fines of up to 50 million euros on websites that don’t remove hate speech within 24 hours (https://www.cbsnews.com/news/facebook-google-europe-hate-speech-content-restrictions/).