Legal challenge to Facebook EU-US data transfer mechanism kicks off in Ireland

Another legal challenge to a data transfer authorization mechanism relied upon by Facebook and thousands of other companies to legally move user data from the European Union to the U.S. for processing has kicked off in the Irish High Court today.

The hearing is expected to last three weeks, and is taking place in Ireland because Facebook’s European headquarters are located in the country.

Last May the Irish data protection commissioner said it was referring standard contractual clauses (SCCs) — sometimes referred to as “model contract clauses” — to Ireland’s High Court to seek a referral to Europe’s top court, the CJEU, for a definitive ruling on the legality of the mechanism.

In a recent memo about the action, the Irish DPA writes on its website:

The DPC [data protection commissioner] is now asking the High Court to make a reference to the CJEU in relation to the validity of the SCCs mechanism. This step has been taken because the DPC has concerns as to the validity of the SCCs when considered in the light of a number of factors, to include Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, and the CJEU’s judgment in the first Schrems case. The DPC considers that the concerns she holds, and the concerns expressed by Mr Schrems in a complaint filed with the DPC’s office, are well-founded.

Covering the opening of the hearing today, Reuters reports that the lawyer for Commissioner Helen Dixon argued the court should refer the case to the CJEU if “you share her doubts.” “The Commissioner’s concern is simply to get it right, not to advocate for any particular result,” he added.

In a statement provided to TechCrunch, a Facebook spokesperson said: “Standard Contract Clauses provide critical safeguards, protecting EU citizens data’ in the US and around the world, and are used by thousands of companies to do business. Facebook firmly believes that SCCs are integral to businesses of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.”

The company will be giving evidence as part of the hearing — and was named in the original and updated complaints to the Irish DPA, the latter having resulted in today’s hearing.

“While there is no immediate impact for people or businesses who use our services, we are pleased to have the opportunity to provide input in this process,” the Facebook spokesperson added. “It is essential that the court has the opportunity to consider the full facts before it makes any decision that may impact the European economy.”

Back in June, the U.S. government asked, and was granted, permission to be joined as an amicus in the case — highlighting the high-level importance being attached to trying to prevent another data transfer challenge ending up at the CJEU, where judges would again be testing the legal robustness of a mechanism used to smooth data flows between Europe and the U.S. for e-commerce purposes.

In October 2015, the court caused a big upheaval for businesses by invalidating a prior EU-U.S. data flow arrangement that had been operational for 15 years.

Model contract clauses are one of the alternative data transfer mechanisms that thousands of companies fell back on when that prior arrangement, Safe Harbor, was struck down. The challenge had been initiated by European privacy campaigner Max Schrems, armed with intel from the 2013 Snowden disclosures about U.S. government surveillance programs. After the CJEU’s Safe Harbor ruling, Schrems resubmitted his complaint to the Irish DPA to push for a similar decision to invalidate SCCs.

The crux of the legal question remains whether U.S. surveillance activity can be made compatible with European privacy law. And since the fall of Safe Harbor, the legality of alternative mechanisms, including model contracts, has been questioned, even as the European Commission and the U.S. went on to conclude negotiations and seal a replacement deal, called Privacy Shield.

That mechanism launched last August, but is now facing at least one legal challenge. It’s also due its first annual review this summer, with signs of some early discontent on the European side — even before you factor in the question of how compatible the new Trump administration’s priorities will be with subtle arrangements seeking to legally bridge gaps in two distinct data protection regimes.

The new U.S. president signing an executive order at the end of last month to strip certain privacy rights from non-citizens/non-residents certainly has terrible optics from a European perspective. Even if that particular Trump pen stroke did not invalidate Privacy Shield, which relies on a different U.S. law to underpin its promise of “essential equivalence” of privacy protections. (Though how the ongoing combination of Trump plus Privacy Shield plays out over the longer run remains an open question.)

TechCrunch understands that a key concern for the Irish DPA over model contract clauses is a structural issue pertaining to the lack of redress facilities for European citizens wanting to pursue claims in the U.S. against companies they believe have breached their European rights.

Privacy Shield does offer a redress path for EU citizens, enabled by the U.S. signing the Judicial Redress Act into law and extending its designation to countries in the EU — although critics argue the redress path may be too complex for European consumers to be effective.