Facebook data snooping case heads to EU Court of Justice

The European Court of Justice today began hearing a case that could have massive implications on data privacy legislation across the continent.

The case, which is being put to the European Union by an Austrian Facebook user called Maximilian Schrems, aims to prevent US intelligence agencies from accessing the private data of EU citizens.

The hearing has been labelled ‘Europe v Facebook’, and seeks to highlight wider concerns over alleged misuse of private user data by America’s National Security Agency.

In June 2013, NSA whistleblower Edward Snowden revealed wide-scale tapping of private data that was being operated under the guise of security investigations.

One such clandestine surveillance program was PRISM, an investigative venture that saw the NSA tap into communications of non-US residents using data acquired from a host of US technology companies.

Schrems, who crowdsourced £44,000 in order to fund the case, initially complained to Facebook in 2011.

His complaints regarded the handling of his personal data, two years prior to the Snowden revelations. He managed to recover 1,222 pages of data material from the US company.

Schrems argued that Facebook, Apple, Google, Yahoo, Skype, Microsoft, and other participants of the PRISM program have outsourced European operations to Ireland or Luxembourg, and should thus fall under the jurisdiction of EU law.

He then contacted the Irish data regulator in August 2014, arguing that the US company, whose European HQ is based in Dublin, had flouted privacy laws.

Related: TR Talks: Silent Circle on Blackphone 2, Apple, Samsung, and more

EU law currently states that exporting data from Europe to the United States is only legal if the company handling the data transfer can offer ‘adequate protection’ once it reaches the US.

The Irish High Court declined to investigate the matter, however, as it is covered by a Europe/US deal called ‘Safe Harbour’ that sees both countries pledge to protect the private data of EU citizens.

At the time, the Irish Data Protection Commission described Schrem’s arguments as ‘frivolous and vexatious’, and said that it was ‘absolutely bound’ by Safe Harbour.

It’s worth noting that Safe Harbour, first created in 1999, has been criticised over the fact that data created in Europe by local users is not properly protected once it reaches servers in the United States.

Undeterred by the lack of intervention, Schrems has since brought the matter to the highest court in Europe, seeking to challenge the High Court’s decision.

He wants ‘Safe Harbour’ to be cancelled, and requests that the Irish DPC audit the exchange of information between Europe and the USA via US-based technology companies.

If Schrems is successful, it could mean that US technology companies will have to go to much greater to lengths to ensure data created by users in Europe does not end up in the hands of non-EU intelligence agencies.