Irish Data Protection Regulator questions transfer of Facebook data to US


The Irish High Court has asked the Court of Justice of the European Union (CJEU) for a preliminary ruling on whether or not the transfer of Facebook user data to Facebook Inc in the US is lawful. Facebook operates its international business via a separate company in Ireland called Facebook Ireland Ltd, which handles the data of 85% of all Facebook users outside the US and Canada.

The court agreed that the absence of effective remedies in the US may violate European fundamental rights under the European Charter of Fundamental Rights, when data is sent to the US under Standard Contractual Clauses (SCCs). European data protection law requires that data can only be transferred outside the EU if the personal data is “adequately protected”. This is in conflict with US law (FISA 702) which requires US companies (including Facebook Inc.) that are “electronic communication service providers” to hand over data, as and when required, to the US national security authorities.

The court found that the Irish Data Protection Commissioner has “well-founded concerns” that the SCC Decision by the European Commission (2010/87/EU) may be invalid. The court further found that the DPC may be able to suspend data flows under the SCCs in line with Article 4 of the SCC decision and Article 28 of Directive 95/46/EC.

The case is ongoing and further clarification in a second decision from the CJEU  is awaited. The latest ruling can be found by clicking on the link below.

2017.10.04 – Irish DPA v Facebook Ireland.