Photographer: Jason Alden/Bloomberg

Facebook's Privacy Feud With Austrian Heads to EU's Top Court

  • Irish court rules in case pitting Max Schrems v. Facebook
  • EU top court ruling could ultimately affect thousands of firms

Facebook’s Inc.’s long-running feud with an Austrian privacy activist is headed back to familiar territory: the European Union’s highest court.

An Irish court passed the buck in a dispute over whether data-transfer clauses used by the social network and thousands of other companies may give U.S. spies access to users’ details.

Only the EU Court of Justice has the “jurisdiction to rule on the validity of a European measure,” Judge Caroline Costello said in Dublin on Tuesday.

The case is the latest round of a dispute involving Max Schrems, the 30-year-old whose campaign for tougher standards already led the EU’s top court to annul a related Safe Harbor accord enabling data transfers to the U.S. Tuesday’s ruling concerns the legality of standard contractual clauses widely used as an alternative to the banned EU-U.S. pact.

Schrems and Facebook were at odds over the impact of the Irish ruling. The Austrian welcomed the Irish ruling, saying it poses a “major problem for Facebook.”

Facebook said in a statement it won’t immediately affect “people or businesses who use our services.”

Still, the social network said ‘it is essential” that the EU court “now considers the extensive evidence demonstrating the robust protections in place under standard contractual clauses and U.S. law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.”

Legal Limbo

The 2015 ruling on the Safe Harbor threw thousands of companies into legal limbo and forced the EU and U.S. back to the drawing board to agree on a new deal that would sufficiently protect EU citizens’ data when transferred across the Atlantic.

Since the EU court decision, Ireland’s data protection authority, egged on by Schrems, also started to question the safety of EU users’ data under the standard contractual clauses. Schrems has used his studies in law over the years to attack mass access by U.S. spies to such data once a company like Facebook has shipped it across the Atlantic.

Separate from the Irish disputes, Schrems last year managed to get a second Facebook-related case referred to the EU’s top court, this time from a court in Vienna. Schrems’s lawyers in that case in July pleaded with the EU judges to give them the green light to bring an Austrian-style collective suit against Facebook with claims from around the EU and beyond.

Thousands of Companies

While the Irish case targets Facebook’s data transfers, the outcome could ultimately affect thousands of companies across the EU that use the same transfer tools to ship commercial data back to the U.S. Standard contractual clauses, a tool offered under EU law, was the fall-back option for businesses left hanging after the top court’s 2015 annulment of Safe Harbor.

The EU last year adopted a new trans-Atlantic data transfer tool, called Privacy Shield, to replace Safe Harbor. The tool, which is already being used by about 2,500 companies, could be pulled at any moment if there are any developments in the U.S. that would put the safety of European citizens’ data at risk, the EU has said.

That’s why other tools, such as the standard contractual clauses remain important, for various reasons, said Bijan Madhani, senior policy counsel at the Computer & Communications Industry Association, a group that speaks for technology companies including Facebook.

“Many companies are working towards Privacy Shield certification but still need a mechanism through which they can lawfully transfer EU personal data,” he said. These other tools also “provide the flexibility to ensure that data transfers with third parties that are not Privacy Shield-certified are conducted in accordance with EU data protection requirements.”

For Schrems, it’s not the tool in itself which is the problem. He questions Facebook’s use of the standard contractual clauses, and has in his complaints and in the Irish court case urged the nation’s data protection regulator to suspend Facebook’s EU-U.S. data flows. The Irish watchdog went a step further and questioned the validity of this tool more generally.

Schrems started his vendetta years ago by filing 22 complaints against the Menlo Park, California-based company in Ireland, where Facebook has its European headquarters.

The problem for Schrems is that, “in simple terms, U.S. law requires Facebook to help” the U.S. National Security Agency “with mass surveillance and EU law prohibits just that.”

— With assistance by Giles Turner

    Before it's here, it's on the Bloomberg Terminal.