Ireland challenges Facebook in threat to cross-border data pact

DUBLIN (Reuters) - Ireland’s privacy watchdog has launched a bid to refer Facebook’s data transfer mechanism to the European Union’s top court in a landmark case that could put the shifting of data across the Atlantic under renewed legal threat.

The Facebook logo is displayed on their website in an illustration photo taken in Bordeaux, France, February 1, 2017. REUTERS/Regis Duvignau

The move is the latest challenge to the various methods by which large tech firms such as Google and Apple move personal data of EU citizens back to the United States.

The issue of data privacy came to the fore after revelations in 2013 from former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance caused political outrage in Europe and stoked mistrust of large technology companies and an overhaul in the way businesses can move personal data - from human resources information to people’s browsing histories - so as to protect Europeans’ information against U.S. surveillance.

Ireland’s data protection commissioner, who has jurisdiction over Facebook as its European headquarters are in Dublin, wants The Court of Justice of the European Union to determine the validity of Facebook’s “model contracts” - common legal arrangements used by thousands of firms to transfer personal data outside the 28-nation bloc.

Irish Data Protection Commissioner Helen Dixon has formed the view that some of the complaints against the model contracts are “well founded,” Michael Collins, a lawyer for the commissioner told Ireland’s High Court on Tuesday.

“If you share her doubts - it doesn’t mean you have to be finally satisfied - then you must make a reference to the European Court... The Commissioner’s concern is simply to get it right, not to advocate for any particular result.”

Collins said only the CJEU and not a national court or the Data Protection Commissioner has the jurisdiction to rule a European Commission decision invalid.

He said that under EU law, a transfer of data can only be made to a country outside the EU if that country ensures an adequate level of protection.

A ruling against model clauses could cause major headaches for companies that need to transfer personal data to the United States - be it for completing credit card transactions, hotel bookings or moving employee data between countries.

The Irish commissioner’s office initially became involved after Austrian law student and privacy activist Max Schrems made a complaint in Dublin about Facebook’s handling of his data in the United States.

Schrems and other privacy campaigners contend that alternative arrangements such as model clauses don’t offer Europeans any means of redress either.

The court has since agreed to a request to allow the United States government to join the case, potentially giving the new U.S. administration a platform to lay out its views on surveillance laws.

Facebook, which is due to speak in court during the case, said in May that it was one of thousands of companies that used model clauses and said it had a number of legal ways of moving data to the United States.

Reporting by Padraic Halpin, editing by Louise Heavens