Ireland’s data regulator can proceed with an inquiry that could lead to a ban on Facebook’s data transfers from the European Union to the United States, the country’s High Court ruled on Friday.
Ireland’s Data Protection Commissioner (DPC) launched an inquiry in August and issued a provisional order that the mechanism Facebook uses to transfer EU user data to the United States “cannot in practice be used”.
Facebook had challenged both the inquiry and the Preliminary Draft Decision (PDD), saying they threatened “devastating” and “irreversible” consequences for its business, which relies on processing user data to serve targeted online ads.
The High Court on Friday rejected the challenge.
“I refuse all of the reliefs sought by FBI (Facebook Ireland) and dismiss the claims made by it in the proceedings,” the court said in a judgment.
“FBI has not established any basis for impugning the DPC decision or the PDD or the procedures for the inquiry adopted by the DPC,” the judgment said.
Austrian privacy activist Max Schrems, who was instrumental in forcing the data regulator to initiate the inquiry, said he believed the decision made it inevitable that Facebook’s data flows would be halted.
“After eight years, the DPC is now required to stop Facebook’s EU-U.S. data transfers, likely before summer,” Schrems said in a statement.
The dispute is part of the fallout from July’s shock decision at the EU’s Court of Justice, which toppled the so-called Privacy Shield, an EU-approved trans-Atlantic transfer tool, over fears citizens’ data isn’t safe once shipped to the U.S.
That ruling was quickly followed by a preliminary order from the Irish Data Protection Commission telling Facebook it could no longer use an alternative tool, known as standard contractual clauses, to satisfy privacy rules when shipping data to the U.S.
The Irish regulator is the main privacy authority for Facebook and many other U.S. tech giants that have their European bases in the EU nation, from Apple Inc. to Google. That means the final decision could also set the course for data transfers for many other companies under its purview.
EU data-protection watchdogs have been weighing a much tougher approach to data transfers since the July ruling, because it raised the bar for continued data flows outside the EU by demanding that data protection in other countries must be “essentially equivalent” to that in the bloc.
The controversy over data transfers stretches back even further, to 2013, when former contractor Edward Snowden exposed the extent of spying by the U.S. National Security Agency.
The EU has strict data protection rules in place since the General Data Protection Regulation took effect in 2018, empowering national regulators to levy penalties of as much as 4% of a company’s annual revenue for the most serious violations.
Facebook said on Friday it would defend its compliance with European Union privacy laws after the Irish High Court threw out its objections to an investigation opened by the Irish Data Protection Commission (IDPC).