Irish court refers landmark EU-US data transfer case to EU

Ireland's High Court today ruled that the Court of Justice of the European Union must decide the rules on the transfer of data from European Facebook users to the US "to ensure consistency".
Judge Caroline Costello said that "only a decision of CJEU can resolve the potential for inconsistent applications" of the mechanism used by internet giants to transfer European users' data to the US.
The legal action follows a complaint by Austrian privacy lawyer Max Schrems to Ireland's Data Protection Commissioner (DPC) about Facebook's use of so-called standard contractual clauses (SCCs) to transfer personal data from Europe to the US, via its European headquarters in Dublin.

SCCs are now widely used by data exporters and are intended to allow for the legal transfer of data from EU citizens as long as "adequate protection" is in place.
Schrems argues that the SCCs offer no redress for European citizens in the US in the event of their data being accessed by a third party, such as US intelligence services, or compromised in some other way.
His legal team claimed that the Irish watchdog already had the power to stop data transfers from Facebook and should use it.

Mason Hayes & Curran, the Dublin-based legal team acting for Facebook, earlier warned in a briefing note of the negative impact a defeat would have on its client and other multinationals.

"The widespread interest in this case arises, in part, from the potential economic and commercial consequences that could flow from a ruling that the SCC decisions are invalid," it said.
The lawyers quoted estimates saying that if services and cross-border data flows were to be disrupted, the European Union's gross domestic product (GDP) could be hit by as much as 1.3 percentage points.
Facebook argues there is nothing wrong with the current system and that there is no need for a referral.
It was forced to switch to SCCs last year after the European Court of Justice ruled in 2015 that the Safe Harbour framework, which had governed the EU-US flow of personal data, contravened EU law because the privacy of European citizens could not be guaranteed in the US.

The SCCs are considered as something of a stopgap measure designed to allow the transfer of data, pending agreement on a more comprehensive regime.