Facebook’s High Court judicial review challenge dismissed

On 14 May 2021, that challenge was dismissed, meaning that the investigation will continue and Facebook’s data transfers will remain in the regulatory spotlight, something that could have significant implications for data flows to the US more generally.

Background (Schrems II)

Maximillian Schrems, an EU national and privacy activist, wanted to stop Facebook transferring his personal data to the US. He believed that notwithstanding whatever protections were put in place (in this case the EU-US Privacy Shield) his personal data was not adequately protected against access by government agencies, such as the National Security Agency, the Central Intelligence Agency and the Federal Bureau of Investigation, as these agencies were granted wide ranging powers in the aftermath of the September 2011 terror attacks. Schrems argued that the US approach to personal data undermined the EU’s high data protection standards. Having already successfully had the Safe Harbor provisions struck down, he launched a new claim in the Irish courts challenging the validity of the Privacy Shield and SCCs, and the Irish High Court referred the case to the Court of Justice of the European Union (CJEU) for a decision.

The CJEU found that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”. This led to the Privacy Shield being struck down, like Safe Harbor before it. The decision also impacted the use of the SCCS; whilst the CJEU held that SCCs remain a potentially valid mechanism for cross-border transfers of personal data, in order to rely on SCCs controllers (and processors) must undertake due diligence to show that EU data subjects will receive, essentially equivalent protections in practice. The CJEU also emphasised that supervisory authorities have the authority to audit and review SCCs and stop data transfers where it finds there is not adequate protection.

In November 2020, the European Data Protection Board (EDPB) issued two recommendations on international data transfer mechanisms. These were intended to help organisations deal with the fallout from Schrems II, with examples of the technical, contractual and organisational “supplementary measures” that controllers (and indeed processors) could take to help ensure that data subjects whose data is transferred outside the EEA receive a requirement level of protection in practice. The EDPB also set out four European “essential guarantees” which are to be assessed against the surveillance laws of a recipient country of any data to determine whether there is anything in law or practice in that country which might impinge on the effectiveness of the transfer mechanisms.

The IDPC inquiry

In August 2020, the IDPC began an investigation into Facebook’s transfer of data from the EU to the US via the SCCs and issued a Preliminary Draft Decision. This found that Facebook’s transfers infringed the GDPR and could not “in practice be used". This (crucially) warned Facebook it may have to suspend data flows to the US. However, it should be noted that the Preliminary Draft Decision was not the end of the process and it was intended that Facebook would make representations in relation to these initial findings, with the IDPC giving it 21 days to respond.

Facebook’s High Court challenge

Facebook instigated judicial review proceedings in relation to the IDPC’s inquiry, arguing that (in summary):

• its right to a fair procedure had been infringed, partly because the IDPC’s Preliminary Draft Decision had been issued prior to the release of the EDPB guidance and that the IDPC had drawn conclusions too early in the process and without access to sufficient information, as well as the fact the Commissioner herself had been involved in both the investigative and decision-making stages of the inquiry;

• the 21 days given for Facebook to provide submissions in relation to the Preliminary Draft Decision were not sufficient; and

• the IDPC had violated Facebook’s right to equality by investigating its transfers, despite data flows to the US using the SCCs being extremely common.

The Irish High Court rejected these arguments, with some key points from the judgment being that:

• the IDPC has wide discretion under the Irish Data Protection Act 2018 to regulate its own procedures;

• the Preliminary Draft Decision did not constitute a premature judgment by the IDPC, nor was there a lack of sufficient information informing it (in particular, the Court noted that the IDPC was under no obligation to wait for EDPB guidance before taking action);

• the Preliminary Draft Decision was part of the inquiry process, rather than the final step in in it; and

• in relation to Facebook’s right of equality, the reasoning for the focus on Facebook was clear given the background of the Schrems II case. However, the Court noted that the IDPC did not have to explain why it had decided to commence an inquiry in respect of one organisation and not another.

What’s next?

With the stay on the proceedings lifted, the IDPC has given Facebook six weeks to prepare submissions to the Draft Preliminary Decision. However, it is worth remembering when the IDPC reaches a decision it won’t be the end of the regulatory process. Any decision will need to gain approval from the other EU regulators. If there is disagreement, and many think this likely, then the EDPB will need to seek consensus. In practice this means a potential further delay to any future suspension order.

When we eventually get an approved final decision on this matter it will have an impact beyond Facebook. Though the Irish High Court rejected the idea that Facebook was being singled out, the reality is that the use of the SCCs to transfer data to the US goes far, far beyond the social media giant. Though it will depend somewhat on how any final decision is reasoned, a negative finding could be problematic for businesses in many industries especially given that, as things stand, there simply isn’t an alternative to the SCCs for many organisations. Many will have already undertaken significant work based on the EDPB recommendations to try to ensure that they can, in fact, provide essentially equivalent protections for data subjects via the SCCs.

This process also raises the pressure on the EU and US to agree a new data transfer mechanism to replace the Privacy Shield. While negotiations are ongoing, surveillance laws remain the stumbling block and no major decision is expected in the near future.

With US ‘big tech’ remaining of fundamental importance to the Irish economy – it should go without saying that there would be significant concerns should companies start to feel that Ireland is no longer a prudent location in which to have to have their lead supervisory authority. This, coupled with the fact that new SCCs, which contain many of the supplemental measures recommended by the EDPB, have now been published (see our coverage of this here) means it will certainly be interesting to see how the IDPC moves forwards with this inquiry.