Facebook Data Transfer
Facebook's method of transferring customer data from Europe to the U.S. will once again come under scrutiny as the Irish Data Protection Commissioner is referring it to the European Court of Justice. REUTERS/Dado Ruvic

Facebook and other major U.S. tech firms could be facing a huge problem after the Irish Data Protection Commissioner confirmed it was seeking to ascertain the legality of the mechanisms these companies are using to transfer data between Europe and the U.S.

Last October the European Court of Justice ruled that Safe Harbor, the method being used by Facebook — and some 4,500 other U.S. companies — to transfer data across the Atlantic since 2000, was invalid. Since then the social network has been relying on a mechanism known as Standard Contractual Clauses or Model Clauses.

Major U.S. tech companies like Facebook, Apple, Microsoft and Google all rely on Model Clauses to transfer their customers' data across the Atlantic. Should the Court rule that, like Safe Harbor, the Model Clause mechanism is invalid, Facebook and all other U.S. companies relying on it could be left in limbo, unable to transfer data from Europe to its servers in the U.S.

The Irish Data Protection Commissioner confirmed Wednesday that it is referring the case against Facebook once again to the European Court of Justice. Speaking to the International Business Times, a spokesperson for the Irish DPC said the papers would be filed next week to the Irish courts with a recommendation that the case is referred to the European court, adding that it informed Facebook of its decision on Tuesday.

“We yesterday informed Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the [European Court of Justice] to determine the legal status of data transfers under Standard Contractual Clauses,” the spokesperson said.

In an emailed statement Facebook said: “Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in Europe. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commissioner in its investigation."

Facebook added that should Model Clauses be ruled invalid, it has “other legal methods” of transferring data to the U.S. from Europe, but when asked what these were, the company did not give any more details.

Also informed was Max Schrems, the Austrian student and privacy campaigner who brought the the initial case against Facebook, whose international headquarters is in Ireland, after revelations made by Edward Snowden indicated that U.S. law enforcement agencies were monitoring data being transferred from Europe to the U.S.

Schrems has confirmed he was informed of the decision by the Irish DPC including being furnished with the Commissioner's draft decision and associated annexes. “There is no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these U.S. surveillance laws,” Schrems said in a statement.

While the Irish DPC has not officially said why it is challenging Facebook's methods, a source with knowledge of the matter told IBT that the issue related to the lack of redress citizens have over how their data is handled once it crosses the Atlantic.

Since Safe Harbor was invalidated last October, officials on both sides of the Atlantic have been working frantically to find a mechanism to replace it. The result is Privacy Shield, a framework to transfer data safely, which was published in February. In April, the Article 29 Working Group, which is made up of data commissioners from all 28 EU-member states, revealed it was not happy with many of the proposals in Privacy Shield, but their decision is nonbinding.