Brussels: The European Union’s top court should decide whether data-protection regulators can probe allegations that Facebook Inc.’s Irish unit illegally handed over data to US spies, an Irish judge ruled on Wednesday.
Revelations of mass surveillance by former US contractor Edward Snowden may have exposed gaping holes in contemporary US data protection practice that could undermine an accord that allows companies to transfer information to the US from Europe, Irish high court judge Gerard Hogan said in a decision published online.
Before probing alleged Facebook transfers to the US National Security Agency, Hogan said the EU Court of Justice should say whether Irish authorities must respect the EU’s view that US data protection is adequate as part of a trans- Atlantic pact from the year 2000.
The Facebook case comes weeks after judges at the top EU court roiled Google Inc. with a ruling that said citizens have a so-called right to be forgotten—where their fundamental rights are harmed by personal information posted online and where there is no public interest in publishing it.
The EU is seeking stronger safeguards for privacy in a new data-transfer deal with the US, the bloc’s justice commissioner Viviane Reding said earlier this month. The discovery of widespread US spying on EU citizens, including top politicians such as German Chancellor Angela Merkel, have added to the clamor for more privacy protection. Companies, such as Vodafone Group Plc, have also disclosed how governments demand access to phone calls, e-mails and other data.
Max Schrems, the Austrian law student who sparked the Irish case, asked the court to overturn the Irish Data Protection Commissioner’s refusal to examine his complaint over the alleged data transfer. He cited a document leaked by Snowden and published in the Guardian newspaper, as probable cause that Facebook may allow US spies to access its servers.
“The Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens," Hogan said in his decision. “Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programs."
“Facebook told the Irish authority that it only handed data to US security agencies by means of targeted requests which were properly and lawfully made," Hogan said in the ruling. The Irish Commissioner also ruled that Facebook had appropriate procedures to handle such requests.
Facebook representatives in Brussels declined to immediately comment on the judge’s decision.
Companies that allow US spy agencies to gain access to data on European Union citizens may violate data-protection law, a group of European regulators said in April. Mark Zuckerberg, Facebook’s chief executive officer, contacted US President Barack Obama to express frustration over government spying, he wrote in a post in March. Company engineers work tirelessly to improve the site’s security, he said.
Ireland’s data-protection authority is in charge of Facebook’s compliance with EU data-protection law because the social network owner’s European headquarters are located in Dublin. Facebook’s Irish unit is responsible for the business outside of the US and Canada.
Zuckerberg said last year that Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.
Ireland’s Data Protection Commissioner told Schrems it couldn’t probe his complaint because it was frivolous and vexatious. Schrems previously made 22 complaints about Facebook’s compliance with EU privacy rules, such as the company keeping photos on its servers after they’d been deleted. Bloomberg