The Irish High Court has referred for a second time a legal challenge to Facebook’s EU-US data transfers to Europe’s top court, seeking a preliminary ruling on a series of fundamental questions pertaining to the clash between US mass surveillance law and EU citizens’ fundamental privacy rights. The sustainability of the EU-US Privacy Shield mechanism — which thousands of companies rely on to expedite transfers of personal data across the Atlantic — looks to be at stake. The case is based on a 2013 complaint by lawyer and privacy campaigner Max Schrems against Facebook (and other tech giants) related to US surveillance law. Schrems drew on information about US intelligence agency practices and systems for sucking up data that had been revealed by NSA whistleblower, Edward Snowden. In 2015, a landmark ECJ judgement overturned a long-standing EU-US data transfer mechanism, called Safe Harbor, as a result of his legal action. Schrems then updated his complaint, this time focusing exclusively on Facebook and addressing a secondary EU-US data transfer mechanism that’s still being used, called Standard Contractual Contracts (SCCs). SCCs are used by Facebook to transfer data between its European entity, Facebook Ireland, and Facebook USA — essentially via a contract in which Facebook USA pledges to follow EU privacy principles. The Irish High Court court issued an underlying judgement on the updated complaint last October, deciding to refer legal questions over this EU-US data transfer mechanism to Europe’s top court, as it had with Schrems’ original complaint. The court has backed the view that US government surveillance practices involve a mass processing of personal data. It’s a finding that clashes with fundamental European privacy rights. And this core legal clash is the Gordian knot that US tech giants — including Facebook — are now bound up with as a consequence of domestic surveillance law granting the US government swingeing rights to suck up data from “electronic communication service providers”. Incompatibility between two separate and distinct legal regimes and data priorities (in simple terms, EU vs US law on data boils down to protection for privacy vs retention for security) was the reason for the 2015 strike down of the 15-year-old Safe Harbor arrangement, following Schrems’ original complaint. It’s also why the replacement EU-US Privacy Shield mechanism, which only started operating in August 2016, remains precariously placed — with the Trump administration doing nothing to enhance privacy protections as EU lawmakers want. On the contrary; earlier this…

Source: TechCrunch – Social Privacy Shield now facing questions via legal challenge to Facebook data flows