Did Facebook illegally let the U.S. National Security Agency spy on its European users? That question is to be considered by the European Union’s highest court, after an Irish judge questioned whether data that the social network transferred from Europe to its U.S. servers might have fallen into the hands of the spy agency.
In a ruling today, Irish High Court Judge Gerard Hogan asked the European Court of Justice to decide whether Irish regulators should investigate the data transfers, which have been permitted under a transatlantic agreement that assumes U.S. privacy protections are comparable to those in the EU. Privacy advocates, led by an Austrian law student named Max Schrems, contend that Edward Snowden’s revelations about the NSA’s Prism program showed that the agency conducted “mass and largely unsupervised surveillance” of Facebook users’ data.
Schrems took Ireland’s national data regulator to court after it refused to consider his complaint and dismissed his arguments as “frivolous and vexatious.” But Judge Hogan said Snowden’s disclosures had “exposed gaping holes in contemporary U.S. data protection practice” that could undermine the U.S.-EU agreement. He asked the European court to determine whether an investigation of Facebook’s data transfers was warranted in light of the disclosures. The case was filed in Ireland because Facebook’s European operations are headquartered there.
In a statement provided to Bloomberg Businessweek, Iain Waterman, a Facebook spokesman in London, said the company had no comment on the Irish decision. Facebook has said previously that it provided data to the U.S. only in response to “targeted requests which were properly and lawfully made” and did not give government agencies direct access to its servers.
The European Court of Justice, based in Luxembourg, is known as a staunch defender of privacy rights. Just last month, it ordered Google to let users demand removal of links and other information in search results they deemed harmful to their privacy. Earlier, the court struck down an EU law letting telecom companies retain users’ communications data for up to two years.
“This is the best outcome we could have wished for,” Schrems said in a statement posted on his website after today’s ruling. “If this case is now pending before the court that has just made Google forget data and killed data retention in Europe, this could get the transatlantic discussion to a whole new level.”