Irish Privacy Watchdog To Probe Facebook Over Spying Claims
Ireland’s top privacy advocate today agreed to investigate claims that Facebook failed to adequately protect its users’ data from spying by the U.S. government. The Irish High Court ordered the office of the Irish Data Protection Commissioner (DPC) to mount an inquiry into the allegations following a decision by the European Court of Justice (ECJ) earlier this month.
The ECJ ruled that an agreement between the U.S. and the European Union (EU) that allowed Internet companies to transfer customer data from Europe to the U.S. was invalid. The so-called “Safe Harbor” agreement has been in effect for the last 15 years.
Complaint from Austrian User
The involvement of the DPC and the ECJ came as the result of a complaint filed by an Austrian law student, Maximilian Schrems. The student asked the privacy authority to look into the way Facebook handled its European users’ data following disclosures by NSA (National Security Agency) whistleblower Edward Snowden that the spy agency was conducting widespread surveillance of European citizens.
Because Facebook's European operations are headquartered in Dublin, the DPC has jurisdiction over the matter. The privacy authority initially tried to avoid getting involved, claiming that Schrems’ complaint was frivolous. The DPC concluded that Facebook was in compliance with the law, based on the existence of the Safe Harbor agreement.
Under the agreement, Facebook certified that it had complied with EU law with regard to the handling of its users' data, leaving the DPC with nothing to investigate, the agency claimed. The agreement provided sufficient protection to indemnify companies from complaints such as the one from Schrems, the DPC argued. Schrems appealed the decision to the Irish High Court, which then asked the EU’s highest court to weigh in on the matter.
Incompatible with EU Laws
The court responded two weeks ago, pronouncing the Safe Harbor agreement invalid under European law. That ruling sent shockwaves throughout the business community, since it will now be illegal for companies to transfer data on European users to the U.S. More than 4,000 companies are affected by the decision, and they are now scrambling to comply.
For Facebook, the ECJ’s decision could be just the beginning of its headaches. The Irish High Court ruled that the Safe Harbor agreement was void, and ordered the DPC to begin its investigation into the social media company’s practices for protecting customer data. The DPC, for its part, announced today that it will now “investigate the substance of the complaint with all due diligence."
The Article 29 Working Party, an independent advisory body to the European Commission on data protection and privacy, responded positively to the decision. The organization called the NSA’s surveillance program incompatible with EU laws and argued that existing data transfer tools were inadequate solutions. Furthermore, it said the U.S. should not be considered a safe destination for data transfers, citing the power of the U.S. government to access citizen data.