The High Court of Ireland on Friday struck down Facebook’s attempt to avoid the Irish Data Protection Commission’s (DPC) regulatory process. The DPC initiated its inquiry into Facebook’s data set through the Irish Data Protection Act 2018 in mid-April. This data set includes personal information of more than 500 million Facebook users worldwide, and the DPC is concerned over potential EU GDPR breaches by Facebook Ireland.
The case started when the DPC lodged an inquiry request on Facebook’s EU-US data transfers. Ongoing DPC monitoring shows that Facebook has infringed several GDPR or Data Protection Act provisions. Facebook Ireland has attempted to plough ahead with the EU-US data transfer. It argued in court that the DPC’s concerns over Facebook activities diverged from the standard procedural protocol. However, Justice David Barniville stated:
I do not accept that it could be said to be unfair, unjust or inconsistent with good administration for the DPC to be permitted to depart from the illustrative procedures should the circumstances of a particular inquiry require it when that is precisely what the DPC said in the published material that it could do.
A Facebook spokesperson has stated that while the facilitation of transfer of huge chunks of data is imperative, a lot of businesses will depend on a streamlined transfer of data between continents.
This decision has followed the Court of Justice of the EU’s (CJEU) decision invalidating the EU-US Privacy Shield. The Privacy Shield is an international framework designed by the US Department of Commerce, the European Commission and Swiss Administration to facilitate data trade. The CJEU invalidated the Privacy Shield on the basis that its data compliance regulations are inadequate to sufficiently protect data, which Justice David Barniville agreed with.
These data privacy cases in the EU will be influential to a parallel lawsuit initiated by data privacy activist Max Schrems.