Facebook EU-US data transfer complaint: Schrems gets a judicial review of the Irish DPC’s procedure
Another twist in a multi-year complaint saga related to the legality of Facebook’s data transfers: European privacy campaigner Max Schrems has today been granted a judicial review of the Irish regulator’s handling of his complaint.
He’s expecting the hearing to take place before the end of the year — and is hoping the action will, at long last, lead to a suspension of Facebook’s EU-US data transfers.
Schrems says his aim is to “kick start a ‘paused’ complaints procedure’” after Ireland’s Data Protection Commission (DPC) chose to open a new case procedure last month — simultaneously pausing its handling of his original complaint, which dates back some seven years at this point.
The vintage complaint had a major injection of attention following a ruling by Europe’s top court this summer, which struck down a flagship EU-US data transfer arrangement (called Privacy Shield) — and cast doubt on the legality of alternative transfer mechanisms for taking EU citizens’ data to the U.S. for processing when processors are subject to U.S. surveillance law, as Facebook is.
Yet there’s still no decision on Schrems’ original complaint. Hence, he’s returned to court.
“The DPC has already pledged to the Court in 2015 that it will swiftly decide. It seems like we need a clear judgment to force the DPC to do its job,” said Schrems in a statement today on the judicial review being granted.
Facebook has already successfully applied for a judicial review of a preliminary order sent by the DPC last month to suspend its data transfers to the U.S. The tech giant was granted a stay on that preliminary order, so its data transfers continue unabated and uninterrupted — even as the regulatory process is mired in yet more legal wrangling.
The stay also bought Facebook more time to lobby EU lawmakers to “fix” the legal uncertainty now firmly attached to EU-U.S. data transfers — with VP Nick Clegg popping up on a live-streamed debate last month to predict economic doom for the region’s small businesses if Facebook gets forced to suspend transfers. (Clegg further claimed Facebook’s business of “personalized advertising” would be vital to Europe’s coronavirus economic recovery, without pointing out other, less invasive/rights-hostile forms of ad-targeting are available…)
It’s not hard to see why Schrems is so unhappy that his 2013 complaint has been turned into an endless game of regulatory whack-a-mole that leaves Facebook free to continue its data-mining business as usual.
In a press release put out by his privacy-focused not-for-profit, noyb, Schrems writes: “Today’s Judicial Review by noyb is in many ways the counterpart to Facebook’s Judicial Review: While Facebook wants to block the second procedure by the DPC, noyb wants to move the original complaints procedure towards a decision.”
“The DPC has opened a second case, just get rid of the complainant from the first case. Now this second case was stalled by a lawsuit from Facebook within weeks. This was complete procedural mismanagement by the Irish regulator. We are now trying to kick start the original procedure from 2013 to finally get a decision by the DPC after seven years and five court judgements that all confirmed our position,” he adds in the statement.
Schrems/noyb is also making a more pointed allegation against the regulator, saying it saw documents last week that suggest Facebook has been using alternative data transfer mechanisms to take EU users’ data to the U.S. — and accusing the regulator of knowing about this since 2016, yet failing to pass the information on to it.
“The documents we received suggest that seven years of procedures and both references to the European Court of Justice were largely irrelevant for the case before the DPC,” writes Schrems, accusing the regulator of hiding documents from the Courts and his lawyers “despite our right to be provided with all the files of a case”. “We are therefore asking the High Court to clarify that all documents must be put on the table that all parties are properly heard and a quick decision is then made,” he adds.
We reached out to the DPC with questions but the regulator declined to answer specific points at this stage. “As you can see Mr Schrems’ application to the Court this morning was made ex parte, meaning that any comments/arguments put forward were unchallenged. We will outline our position when we make our own submission to the Court,” deputy commissioner, Graham Doyle, told us.
Ireland’s regulator is no stranger to accusations of dragging its feet on enforcing the bloc’s data protection regime against major tech firms and platforms, many of whom have chosen to site their regional base in the country — meaning their data handling typically comes under the supervision of the DPC. (Which in turn means it has a huge backlog of complex, cross-border cases to investigate and issue decisions on.)
More than two years after the GDPR came into application, the DPC has only submitted one draft decision on cross-border cases (related to a Twitter security breach) — which is still pending agreement from the EU’s other data supervisors.
Scores more cases remain open on its desk.
In June, a Commission two-year review of GDPR flagged a lack of uniformly vigorous enforcement — with lawmakers acknowledging: “The best answer [to criticism of GDPR’s failure to regulate big tech] will be a decision from the Irish data protection authority about important cases.”
Separately, Irish parliamentarian Malcolm Byrne raised questions in the senate recently over another long-standing complaint that’s sitting on the DPC’s desk — related to Google and the real-time bidding process that’s involved in programmatic advertising — also still an open investigation.