The European Union’s top court should decide whether data-protection regulators can probe allegations that Facebook Inc. (FB)’s Irish unit illegally handed over data to U.S. spies, an Irish judge ruled today.
Revelations of mass surveillance by former U.S. contractor Edward Snowden may have “exposed gaping holes in contemporary U.S. data protection practice” that could undermine an accord that allows companies to transfer information to the U.S. from Europe, Irish High Court Judge Gerard Hogan said in a decision published online.
Before probing alleged Facebook transfers to the U.S. National Security Agency, Hogan said the EU Court of Justice should say whether Irish authorities must respect the EU’s view that U.S. data protection is adequate as part of a trans-Atlantic pact from the year 2000.
The Facebook case comes weeks after judges at the top EU court roiled Google Inc. (GOOG) with a ruling that said citizens have a so-called right to be forgotten -- where their fundamental rights are harmed by personal information posted online and where there is no public interest in publishing it.
The EU is seeking stronger safeguards for privacy in a new data-transfer deal with the U.S., the bloc’s Justice Commissioner Viviane Reding said earlier this month. The discovery of widespread U.S. spying on EU citizens, including top politicians such as German Chancellor Angela Merkel, have added to the clamor for more privacy protection. Companies, such as Vodafone Group Plc, have also disclosed how governments demand access to phone calls, e-mails and other data.
Data Transfer
Max Schrems, the Austrian law student who sparked the Irish case, asked the court to overturn the Irish Data Protection Commissioner’s refusal to examine his complaint over the alleged data transfer. He cited a document leaked by Snowden and published in the Guardian newspaper, as “probable cause” that Facebook may allow U.S. spies to access its servers.
“The Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens,” Hogan said in his decision. “Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programs.”
Facebook told the Irish authority that it only handed data to U.S. security agencies “by means of targeted requests which were properly and lawfully made,” Hogan said in the ruling. The Irish Commissioner also ruled that Facebook had “appropriate procedures” to handle such requests.
Sally Aldous, a spokeswoman for Facebook in London, declined to comment on the judge’s decision.
Spy Agencies
Companies that allow U.S. spy agencies to gain access to data on European Union citizens may violate data-protection law, a group of European regulators said in April. Mark Zuckerberg, Facebook’s chief executive officer, contacted U.S. President Barack Obama to express frustration over government spying, he wrote in a post in March. Company engineers “work tirelessly” to improve the site’s security, he said.
Zuckerberg said last year that Facebook “is not and has never been part of any program to give the U.S. or any other government direct access to our servers.”
Ireland’s data-protection authority is in charge of Facebook’s compliance with EU data-protection law because the social network owner’s European headquarters are located in Dublin. Facebook’s Irish unit is responsible for the business outside of the U.S. and Canada.
‘So Serious’
The Irish Data Protection Commissioner’s Office said it was “appropriate” that the EU court should weigh the issues, including a possible re-evaluation of the EU-U.S. pact, “because the data privacy issues raised by the Snowden revelations are so serious.”
The authority previously told Schrems it couldn’t probe his complaint because it was “frivolous and vexatious.” Schrems previously made 22 complaints about Facebook’s compliance with EU privacy rules, such as the company keeping photos on its servers after they’d been deleted.