Following Edward Snowden's revelations about the NSA's PRISM surveillance program and Facebook's inclusion within it, Max Schrems made a formal complaint to the Irish Data Protection Commissioner, Billy Hawkes, accusing the social giant of illegally exporting his personal data. Facebook has its European center of operations in Ireland.
The crux of the issue is the EU-US Safe Harbor agreement. The US does not have national privacy controls sufficient to satisfy European requirements. To get around this problem, a safe harbor agreement allows US companies to work with European customer data provided they are safe harbor certified; that is, they individually guarantee acceptable levels of privacy. US companies can be third-party or self-certified. Facebook is self-certified.
Since Snowden, however, the adequacy of the Safe Harbor agreement has been questioned. In July the EU commissioner for Justice, Viviane Reding, suggested, "The Safe Harbor agreement may not be so safe after all." Earlier this month, the European Parliament's civil liberties committee, LIBE, was told that 427 US companies make false claims over Safe Harbor. “In those 427 organizations, you will find large household names in Europe, with hundreds of millions of customers,” said Chris Connolly of Galexia.
But the Irish DPC decided to accept Facebook's self-certification at face value, and deemed that it's existence excused Facebook from any further examination. Pointing to the safe harbor agreement, Billy Hawkes told RTÉ News, "Irish law faithfully transposes European law in this area, it lays down very clearly that once there's been a decision that data can flow to different countries, then I am bound by that decision and that is why there is nothing to investigate by me in this case."
To Max Schrems, he dismissed the complaint as 'frivolous and vexatious.' "This is the cheapest excuse in a long while," said Schrems in a statement yesterday. "Our complaint was based on a legal view that is not only shared by every expert we know of, but also the DPCs in German, on the European level and even the European Commission. To claim that such a view would be ‘frivolous’ is absurd, but the DPC seems to have a system to turn down complaints."
Schrems did not simply accept the ruling. Instead he applied to the Irish High Court for a judicial review; and that application has now been granted. The effect is that the DPC will now have to investigate Schrems' complaint. That in turn will mean that Facebook's potential involvement in the NSA's Prism program will need to be examined since it would, allegedly, involve the illegal on-forwarding of European personal data.
"The DPC simply wanted to get this hot potato off his table instead of doing his job," said Schrems. "But when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it." If he still declines to investigate, the matter will then go to trial. It is a big, but only an initial, win for Privacy v. Facebook.