On Tuesday 3 October, the Irish High Court asked the Court of Justice of the European Union (CJEU) to take position on whether the Irish regulator, the Data Protection Commission (DPC), is authorised to suspend or ban the transfer of Facebook Ireland users' personal data to the United States.
This question was asked in the framework of a dispute brought by the Austrian lawyer Max Schrems - who was behind the CJEU's decision to overturn the 'Safe Harbour' agreement that preceded the current transatlantic system for the transfer of personal data for commercial purposes, 'Privacy Shield' (see EUROPE 11404) - against Facebook Ireland, arguing insufficient guarantees of privacy.
When this complaint was brought before it, the DPC asked the Irish High Court to seek a preliminary ruling from the CJEU, on the grounds that the standard contractual clauses governing transfers of personal data out of the EU were adopted by the European Commission and the decision on whether to ban or suspend these transfers cannot therefore be taken at national level.
Commenting on the Irish High Court's decision to seek a preliminary ruling, the Business Software Alliance - which has been granted amicus curiae status in the case - issued a press release stating that the case should not be about the standard contractual clauses in themselves, but instead about how the clauses are drafted and used for the specific transfers involved. According to the organisation, these clauses contain important safeguards for the protection of users and, in particular, grants the national data protection authorities powers to examine the specific implementation of these clauses on a case-by-case basis.
Readers may recall that the Spanish and French data protection authorities have also taken action against Facebook this year (see EUROPE 11859), fining the American giant €1.2 million and €150,000 respectively for breaching the data protection of its users. (Original version in French by Marion Fontana)