Sign up for our newsletter
Policy / Big Tech

UPDATED: Irish High Court Warns of “Potentially Grave Prejudice” in Landmark Facebook Ruling

Ireland’s High Court Thursday refused a request by Facebook to delay referral of a landmark privacy case to Europe’s top court, warning there was a risk of “unquantifiable potential loss” to the plaintiffs that is “incapable of being remedied” if the court ultimately found against the tech behemoth.

The case, brought by Austrian activist, Max Schrems, was heard in Ireland as it is home to Facebook’s headquarters for most of its non-US markets. It is the latest step in a seven-year legal battle being waged by the 30-year-old lawyer over trans-Atlantic sharing of European’s data.

Users affected by Facebook data breach top 87m, but who is responsible?

Facebook told Computer Business Review: “We are disappointed not to have been granted a stay on the preliminary reference being made to the CJEU (Court of Justice of the European Union). We intend on continuing with seeking leave to appeal the High Court’s decision to the Irish Supreme Court.”

White papers from our partners

The case arose originally from a complaint made by the 30-year-old lawyer to the Irish Data Protection Commissioner over the lawfulness of Facebook-Ireland’s transfer of European Facebook users to its US parent, Facebook Inc.

In her judgement today (May 2), Justice Caroline Costello said: “The prejudice suffered… is potentially very grave… the data of millions of data subjects may continue to be processed unlawfully.”

The case challenges methods used by technology firms such as Google and Apple to transfer data outside the 28-nation European Union, saying the so-called “standard contractual clauses” (SCCs) granted by the Commission to transfer data do not give EU consumers sufficient protection from US surveillance.

Facebook is arguing that the case that has been referred to the CJEU is “not just about Facebook” and is ultimately about a contractual tool endorsed by the European Commission, used by thousands of companies in the EU.

“We are applying for leave to appeal to the Supreme Court on the basis of a number of findings of fact as to US law which the High Court made, on which the CJEU would make its decision. We are also seeking to appeal to the Supreme Court on the basis of a number of points of law relevant to this case, including the impact of GDPR on the decision”, a company spokesman told Computer Business Review.

The company says it believes that the Irish High Court is referring the case based on an interpretation of US law that does not take into account “certain important protections and changes” that have been made since the case first began, it is essential that it considers this evidence in full.

” The Data of Millions of Data Subjects may Continue to be Processed Unlawfully”

A ruling by the European Court of Justice (ECJ) against the legal arrangements would throw up challenges for thousands of companies, which make millions of these transfers every day. The Irish High Court had earlier this month ordered the case to be referred to the EU’s top court to assess whether the methods used for data transfers – including SCCs and the so-called Privacy Shield agreement – were legal.

The European Commission has no exact figure available for the number of firms using SCCs to transfer their data, but one US estimate suggests that about 80 per cent of companies transferring data from the EU to the US use them.

Justice Costello concluded: “In my opinion very real prejudice is potentially suffered by Mr Schrems and the millions of EU data subjects of the matter is further delayed by a stay as sought in this case. Their potential loss is unquantifiable and incapable of being remedied. I am of the opinion that the court will cause the least injustice if it refuses any stay and delivers the reference immediately to the court of Justice. I so order.”

Justice Caroline Costello

“Considerable Concern”

In a 12-page ruling, Justice Costello accused the company of deliberately delaying the procedure in a bid to make it moot under the imminent General Data Protection Regulation (GDPR) legislation, noting that midway through a three week ruling in March 2017, she had asked about the GDPR and whether it would render the case moot.

“The fact that the point is only now being raised gives rise to considerable concern as to the conduct of the case by Facebook and the manner in which it has dealt with the court,” Costello said.

Facebook had not responded to a request for comment as Computer Business Review went to press, but plans to appeal the decision.

See also: FTC launches probe into Facebook privacy practices

This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.