By Conor Humphries and Douglas Busvine
DUBLIN (Reuters) – Ireland’s data regulator may resume an investigation that could ban Facebook’s transatlantic data transfers, raising the possibility of a disruption that the company warns would have a devastating impact on its business.
The case arises due to EU concerns that US government surveillance activities would not respect the privacy rights of citizens of the bloc when their personal data is transferred to the US for commercial use purposes.
The Irish Data Protection Commissioner (DPC), Facebook’s main regulator in the European Union, launched an investigation in August and issued an interim order under which the main mechanism Facebook uses to transfer data of users from the EU to the United States “in practice can not be used”.
Facebook had challenged both the investigation and the Preliminary Draft Decision (PDD), saying they threatened “devastating” and “irreversible” consequences for its business, which relies on the processing of user data to post specific ads online.
The Superior Court rejected the challenge on Friday.
“I reject all the reparations requested by the FBI (Facebook Ireland) and I reject the claims made by the company in the process,” Judge David Barniville said in a sentence that spanned nearly 200 pages.
“The FBI has not established any basis to challenge the decision of the DPC or the PDD or the procedures for the investigation adopted by the DPC,” the judge said in the ruling.
While the decision does not cause immediate disruption of data flows, Austrian privacy activist Max Schrems, who has forced the Irish data regulator to take action with a series of legal actions over the past eight years, said he believes which is unavoidable.
“After eight years, the DPC is now required to stop Facebook data transfers between the EU and the US, probably before the (boreal) summer,” he said.
A Facebook spokesperson said the company hoped to defend its compliance with EU data rules, as the Irish regulator’s interim order “could be detrimental not only to Facebook, but also to users and other businesses.”
The mechanism challenged by the Irish regulator, the Standard Contractual Clause (SCC), was deemed valid by the Court of Justice of the European Union (CJEU) in a July decision.
But the CJEU also ruled that under the SCC, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection cannot be guaranteed in other countries.
(Reporting by Conor Humphries, Douglas Busvine and Padraic Halpin; Edited in Spanish by Ricardo Figueroa)