The Irish High Court yesterday ordered the Irish Data Protection Commissioner (DPC) to investigate Facebook’s European data privacy practices, bringing Max Schrems’ three-year fight full circle. The Court today quashed the original DPC refusal to examine Schrems’ complaint that came back to the High Court after the referral to the European Court of Justice (CJEU).
Ireland’s DPC, Helen Dixon, refused to investigate the original Schrems’ complaint based on the validity of the US-EU Safe Harbor Framework. By now, we all know what happened to Safe Harbor when it reached the CJEU.
The High Court decision awards Schrems costs for his legal bills and travel expenses and Judge Gerard Hogan commented that “the commissioner is obliged now to investigate the complaint … and I’ve absolutely no doubt that she will proceed to do so.”
The EU’s Article 29 Working Party of EU data protection officials issued a joint statement last week forthrightly expressing its position post-CJEU decision:
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.