Ireland’s data regulator can resume a probe that may trigger a ban on Facebook’s transatlantic data transfers, the High Court ruled on Saturday NZ time, raising the prospect of a stoppage that the company warns would have a devastating impact on its business.
The case stems from EU concerns that US government surveillance may not respect the privacy rights of EU citizens when their personal data is sent to the United States for commercial use.
Ireland's Data Protection Commissioner (DPC), Facebook's lead regulator in the European Union, launched an inquiry in August and issued a provisional order that the main mechanism Facebook uses to transfer EU user data to the United States "cannot in practice be used".
Facebook had challenged both the inquiry and the Preliminary Draft Decision (PDD), saying they threatened "devastating" and "irreversible" consequences for its business, which relies on processing user data to serve targeted online ads.
The High Court rejected the challenge.
"I refuse all of the reliefs sought by FBI (Facebook Ireland) and dismiss the claims made by it in the proceedings," Justice David Barniville said in a judgment that ran to nearly 200 pages.
"FBI has not established any basis for impugning the DPC decision or the PDD or the procedures for the inquiry adopted by the DPC," the judgment said.
While the decision does not trigger an immediate halt to data flows, Austrian privacy activist Max Schrems, who forced the Irish data regulator to act in a series of legal actions over the past eight years, said he believed the decision made it inevitable.
"After eight years, the DPC is now required to stop Facebook's EU-US data transfers, likely before summer," he said.
A Facebook spokesman said the company looked forward to defending its compliance with EU data rules as the Irish regulator's provisional order "could be damaging not only to Facebook, but also to users and other businesses".
If the Irish data regulator enforces the provisional order, it would effectively end the privileged access companies in the United States have to personal data from Europe and put them on the same footing as companies in other nations outside the bloc.
The mechanism being questioned by the Irish regulator, the Standard Contractual Clause (SCC), was deemed valid by the European Court of Justice in a July decision.
But the Court of Justice also ruled that, under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection in other countries cannot be assured.
A lawyer for Facebook in December told the High Court that the Irish regulator's draft decision, if implemented, "would have devastating consequences" for Facebook's business, impacting Facebook's 410 million active users in Europe, hit political groups and undermine freedom of speech.
Irish Data Protection Commissioner Helen Dixon in February said companies more broadly may face massive disruption to transatlantic data flows as a result of the European Court of Justice decision.
Dixon's office welcomed the decision, but declined further comment.