Out-Law News 3 min. read
29 Oct 2013, 2:45 pm
Privacy campaigners the 'Europe v Facebook' group won the right to a judicial review of the decision by the Office of the Irish Data Protection Commissioner (ODPC) not to look into the issue when it complained about the matter earlier this year. The group has claimed, among other things, that Irish Data Protection Commissioner Billy Hawkes "failed in his duty to investigate".
However, the ODPC said it would strongly contest the case when the hearings begin.
"Now that the matter is the subject of ongoing court proceedings, this Office is not in a position to comment on the matter, other than to confirm that we will be vigorously defending our position," the ODPC said in a statement, according to a report by The Register.
Earlier this summer the Guardian and a number of US newspapers published stories concerning the surveillance activities of US intelligence body the National Security Agency (NSA). The stories contained information leaked by whistleblower Edward Snowden and concerned the NSA's alleged use of a computer programme called 'Prism' to access data held by major technology companies, including Facebook.
Following the news reports the Europe v Facebook group submitted a complaint to the ODPC and asked the watchdog to look into whether Facebook could be said to be complying with EU data protection rules around the transferring of personal data outside of the trading bloc. Facebook Ireland has responsibility for all Facebook users outside of the USA and Canada.
According to documents submitted to the High Court in Ireland by Europe v Facebook (16-page / 1.6MB PDF), the ODPC deemed the group's Facebook Prism complaint to be "frivolous and vexatious". The ODPC is not bound to issue a formal decision in relation to any complaint he deems to be frivolous.
The watchdog has had previous dealings with Europe v Facebook. In 2011 the ODPC conducted an audit of Facebook Ireland's privacy polices and practices and made a number of recommendations for improvements. The audit was undertaken after Europe v Facebook raised a number of concerns about the social network's compliance with EU data protection laws.
Following a re-audit last year the ODPC said Facebook had implemented the "great majority of the recommendations" it made in its initial report and sought action on a number of the outstanding issues. However, Europe v Facebook raised concerns about the ODPC's audit and findings and pressed for further action.
Austrian student Max Schrems who heads up the Europe v Facebook group said that the Luxembourg data protection authority is looking into its complaints about the links between Microsoft and Skype and the NSA's Prism programme and that Yahoo! is also under similar regulatory scrutiny in Germany.
"The [Irish] DPC simply wanted to get this hot potato off his table instead of doing his job," Schrems said in a statement. "But when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it."
"In our complaint we have questioned the scope and the validity of the ‘Safe Harbour’ system. The DPC has totally ignored this and has only verified that Facebook is member of the ‘Safe Harbour’ system - this was just never the question in our complaint," he added.
Under the EU's Data Protection Directive personal data may only be transferred outside of the European Economic Area (EEA) by organisations where there is an adequate level of data protection in place in the third country.
A number of countries around the world, although not the US, have been deemed to provide adequate protection. However, a 'Safe Harbour' agreement has been put in place between the EU and US that allows personal data to be transferred to the US where data protections meet EU standards. US organisations that self-certify that they conform to the requirements of the Safe Harbour scheme are deemed as having met European safety standards outlined in the Directive.
The Safe Harbour framework is currently under review by the European Commission in light of the Prism revelations.
Court documents published by Europe v Facebook said it was "irrational" for the ODPC to "conclude or be satisfied that, in the United States of America, an adequate level of protection was in place" following the stories about NSA spying.
The group said that it anticipates a ruling in the case within the next six months.
