The Irish High Court has formally asked the Court of Justice of the European Union (CJEU) to figure out whether it’s legal under European law for Facebook to routinely transfer user data to the United States. The referral to the court was published Thursday, and Facebook has until the end of the month to respond to the Irish court.
If the CJEU rules against Facebook, it could put a slew of American tech giants on notice and throw what is generally a smooth and orderly process into chaos. Right now, European Twitter, Google, and Facebook users have their data captured in their home countries, but the data is processed and/or stored by the American parent companies.
As part of a five-year legal battle involving Austrian privacy activist Max Schrems, the CJEU is now being asked to determine whether the current set of rules that govern those transfers, known as “Privacy Shield,” are adequate. The case is being heard in Ireland as it involves Facebook Ireland, which keeps all non-American and non-Canadian data is funneled through.
Facebook Ireland Limited in Dublin is believed to have been created largely for tax minimization reasons.
Curiously, it’s not just European Facebook users that should be concerned—but anyone outside the United States or Canada who signed up for the service. Buried in the lengthy terms and conditions that nobody reads is a stipulation that anyone outside North America is actually signing a contract with Facebook Ireland. “If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc,” the terms state. “Otherwise, this Statement is an agreement between you and Facebook Ireland Limited.”
This years-old dispute is particularly heightened now that Facebook CEO Mark Zuckerberg has faced two days worth of questioning by American lawmakers in the wake of the Cambridge Analytica scandal. In addition, the EU’s new General Data Protection Regulation is set to take effect in late May—Zuckerberg told reporters recently that he would voluntarily extend those benefits to Americans as well.
Previously, Schrems got an earlier set of EU rules, known as “Safe Harbour,” overturned.
As Justice Caroline Costello wrote in the Thursday referral:
[Schrems] states that his personal data is forwarded by Facebook to Facebook Inc. in the United States of America where his data is processed. Facebook Inc. is obliged to make his personal data available and/or obliged to disclose it to the United States authorities such as, for example, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). He alleges that there is no judicial remedy which would allow the data subject to take appropriate action to protect his personal data rights.
In a statement sent to reporters, Schrems seemed optimistic that the CJEU would ultimately rule in his favor.
“In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that,” he wrote. “As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run unless they split the service in two or give up tax avoidance in Ireland.”
Facebook did not immediately respond to Ars’ request for comment.