Facebook is facing fresh legal headaches in Europe.
In October, Europe’s top court ruled that a key legal method for transfering data between Europe and the US is invalid due to concerns over US government spying. Max Schrems, the activist who brought about the initial legal challenge, has now filed three more complaints against the Californian social networking giant.
If successful, Schrems’ complaints could force Facebook to stop transferring European users’ data to the US altogether.
The Safe Harbour scheme, formulated in 2000, gave tech companies an easy way to legalise the transfer of data between the US and Europe. But in the aftermath of whistleblower Edward Snowden’s revelations about NSA surveillance, Austrian activist and law student Max Schrems filed a case against Facebook, alleging this spying meant users’ data was not subject to adequate protections.
The case eventually made its way its way to the European Court of Justice (ECJ), which in October 2015 ruled that the Safe Harbour scheme was invalid, and could not usurp the powers of local data protection authorities (DPA’s).
Of course, Safe Harbour isn’t the only way to legitimise the transfer of data across the Atlantic. You can also obtain the consent of the data subjects, or use “model clauses” pre-approved by European authorities. But it was the easiest, and its revocation has thrown the legal arrangements of the 4,500 companies that used it into chaos.
Schrems has now filed three legal complaints against three DPA’s — in Ireland, Belgium, and Hamburg in Germany. The aim is, a statement on his website says, to “legally … enforce this judgement on Facebook.”
A Facebook spokesperson provided Business Insider with the following statement:
“We have repeatedly explained that we are not and have never been part of any program to give the US government direct access to our servers. Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world.
“These issues are being examined by the Irish Data Protection Commission (DPC) at the request of Mr Schrems. We are cooperating fully with the DPC and are confident that this investigation will lead to a comprehensive resolution of Mr Schrems’ complaints.”
Facebook — unlike some other companies — was not immediately affected by the Safe Harbour ruling, because it did not rely on the mechanism for legitimise the transfer of data. It uses model clauses instead. But Schrems argues that Facebook cannot adequately protect user data and so the transfer should be suspended.
He also warns that failure to enforce the European court’s judgement could have “consequences” for officials in Europe. He said: “I have absolutely no doubt that the vast majority of all European DPAs properly investigates complaints and take reasonable actions. However in one particular case I felt the need to clarify that willful resistance to do the job may have personal consequences for officeholders.”