Facebook Inc. lost a legal battle on Friday over an initial order from a European Union privacy watchdog that could result in the social network being forced to stop transferring data to the US.
An Irish court rejected Facebook’s challenge, saying it didn’t establish “any basis” for calling into question the Irish Data Protection Commission’s (DPC) decision.
Judge David Barniville wrote in his judgment that he concluded Facebook “must fail on those grounds of challenge and that it is, therefore, not entitled to any of the reliefs claimed in the proceedings”, according to The Telegraph.
The dispute is part of the fallout from July’s shock decision by the bloc’s top court, the EU’s Court of Justice, which toppled the so-called Privacy Shield over fears citizens’ data isn’t safe once shipped to the U.S. Privacy Shield is an EU-approved trans-Atlantic transfer tool.
That EU court ruling was quickly followed in August, by a preliminary order from the DPC, the EU’s main watchdog as regards Facebook, telling Facebook it could no longer use an alternative tool, known as standard contractual clauses, to satisfy privacy rules when shipping data to the U.S.
Facebook then fought the Irish measures, urging watchdogs to “adopt a pragmatic and proportionate approach until a sustainable long-term solution can be reached.” If made permanent, the order would mean the company could no longer use so-called standard contractual clauses for data transfers, the most commonly used remaining method.
“Basically the court gave the Irish data protection authority a thumbs-up to continue an investigation, which could lead to a stop of data transfers,” said Joerg Hladjk, a lawyer with Jones Day in Brussels, who isn’t involved in the case, according to Bloomberg.
Privacy campaigner Max Schrems has been complaining to the Irish watchdog that EU citizens’ data is at risk the moment it gets transferred to the U.S. and that Facebook’s data transfers were no longer safe
“Facebook lost on every ground” and failed in its attempts to “delay the Irish decision,” privacy campaigner Schrems said following Friday’s decision. “After eight years” the data protection commission “is now required to stop Facebook’s EU-U.S. data transfers, likely before summer.”
Facebook said the ruling was about the “process” followed by the Irish watchdog, whose preliminary order “could be damaging not only to Facebook but also to users and other businesses.”
“The larger issue of how data can move around the world remains of significant importance to thousands of European and American businesses that connect customers, friends, family, and employees across the Atlantic,” Facebook said in a statement. “Like other companies, we have followed European rules and rely on standard contractual clauses, and appropriate data safeguards, to provide a global service and connect people, businesses, and charities.”
The Irish authority said it welcomed the ruling.
Since the July ruling, EU data-protection watchdogs have been weighing a much tougher approach to data transfers because it raised the bar for continued data flows outside the EU by demanding that data protection in other countries must be “essentially equivalent” to that in the bloc.
Also since the General Data Protection Regulation took effect in 2018, the EU has strict data protection rules in place empowering national regulators to levy penalties of as much as 4% of a company’s annual revenue for the most serious violations.