The social media giant failed to block an offer that could ban it from sending data on its 410 million European users to the United States.
Ireland’s data regulator may resume an investigation that could trigger a ban on Facebook’s transatlantic data transfers, the High Court ruled on Friday, citing the prospect of a judgment the company said would have a devastating impact on its business.
The case stems from European Union concerns that U.S. government surveillance may violate the privacy rights of EU citizens when their personal data is sent to the United States for commercial purposes.
The Data Protection Commission (DPC) of the Republic of Ireland, Facebook’s main regulator in the EU, launched an investigation in August and issued an interim order that the main mechanism used by Facebook to transfer user data from the EU in the US “cannot in practice be used”.
Facebook had challenged both the investigation and the preliminary draft decision (PDD), saying they threatened “devastating” and “irreversible” consequences for its business, which relies on processing user data to disseminate targeted online advertising.
The High Court dismissed the challenge on Friday.
“I refuse all the help requested by the FBI [Facebook Ireland] and dismiss the allegations he made in the proceedings, ”Judge David Barniville said in a nearly 200-page judgment.
“The FBI has not established any basis to challenge the decision of the DPC or the PDD or the investigative procedures adopted by the DPC,” said the judgment.
While the move does not trigger an immediate halt to data flows, Austrian privacy activist Max Schrems, who has forced the Irish data regulator to act in a series of lawsuits over the past eight years, said he believed the decision made it inevitable.
“After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, possibly before the summer,” he said.
A Facebook spokesperson said the company was eager to defend its compliance with EU data rules as the Irish regulator’s interim order “could be detrimental not only to Facebook, but to users as well. and other businesses ”.
If the Irish data regulator enforces the interim order, it would effectively end the privileged access of US companies to personal data from Europe and put them on the same footing as companies in other countries outside the bloc.
The mechanism questioned by the Irish regulator, the Standard Contractual Clause (SCC), was found valid by the European Court of Justice in a July ruling.
But the Court of Justice has also ruled that under CCS privacy watchdogs must suspend or ban transfers outside the EU if data protection in other countries cannot be ensured. .
A Facebook lawyer told the High Court in December that the Irish regulator’s draft ruling, if implemented, “would have devastating consequences” for Facebook’s business, affecting the 410 million active users of Facebook in Europe, hitting political groups and undermining freedom of expression.
In February, Irish Data Protection Commissioner Helen Dixon said businesses more generally could face a massive disruption to transatlantic data flows following the European Court of Justice ruling.
Dixon’s office welcomed the decision on Friday, but declined to comment further.