Irish High Court allows Judicial Review to stop Facebook EU-US transfers

Data Transfers
 /  12 October 2020
(c) Kieran Lynam

Irish High Court allows Judicial Review aiming to stop Facebook’s EU-US Data Transfers

The Irish High Court has granted leave for a “Judicial Review” against the Irish Data Protection Commission (DPC) today. The legal action by noyb aims to swiftly implement the European Court of Justice Decision prohibiting Facebook’s EU-US data.

7 Years and 5 Judgments, but no DPC decision. In 2013 Mr Schrems has filed a complaint against the European Facebook Headquarter, for illegally sharing his personal data with Facebook in the USA in the light of US mass surveillance laws like FISA702. After seven years and five judgments in the matter little progress was made in the original case, despite two judgments by Europe’s top court that invalidated the “Safe Harbor” and the “Privacy Shield”. Instead of making a final decision, the Irish DPC has suspended the complaints procedure last month for indefinite time.

Second Procedure Opened & Stalled. Instead of making a decision in the pending procedure, the DPC has started a second, new investigation into the same subject matter (“Parallel Procedure”), as widely reported (see original reporting by the WSJ). No logical reasons for the Parallel Procedure was given, but the DPC has maintained that Mr Schrems will not be heard in this second case, as he is not a party in this Parallel Procedure. This Paralell procedure was criticised by Facebook publicly (link) and instantly blocked by a Judicial Review by Facebook (see report by Reuters).

Today’s Judicial Review by noyb is in many ways the counterpart to Facebook’s Judicial Review: While Facebook wants to block the second procedure by the DPC, noyb wants to move the original complaints procedure towards a decision.

Max Schrems, chair of “The DPC has opened a second case, just get rid of the complainant from the first case. Now this second case was stalled by a lawsuit from Facebook within weeks. This was complete procedural mismanagement by the Irish regulator. We are now trying to kick start the original procedure from 2013 to finally get a decision by the DPC after seven years and five court judgements that all confirmed our position.”

DPC breached Irish and EU law in multiple ways. In 2015 the DPC gave an Undertaking to the Irish High Court, to complete the investigation with “all due diligence and speed”. Five years later, the DPC does not only lack any path to a decision, but even stopped the complaints procedure indefinitely.

In addition, documents that emerged within the last weeks suggest that Facebook has used other legal basis than the Privacy Shield and the “Standard Contractual Clauses” (SCCs) to transfer data from the EU to the US and informed the DPC about this in 2016. The DPC is however has stated on the record  that the SCCs were the main means for such transfers.

Max Schrems: “The documents we received suggest that seven years of procedures and both references to the European Court of Justice were largely irrelevant for the case before the DPC. The DPC has hidden these documents from the Courts and us – despite our right to be provided with all the files of a case. We are therefore asking the High Court to clarify that all documents must be put on the table that all parties are properly heard and a quick decision is then made.”

Hearing by the End of the Year. As the High Court has allowed the Judicial Review to go ahead, the relevant papers by the DPC will be filed and a hearing date will be set. It is expected that the hearing will take place around the end of the year.

Max Schrems: “The DPC has already pledged to the Court in 2015 that it will swiftly decide. It seems like we need a clear judgment to force the DPC to do its job.”

Further Background: