Facebook said on Thursday a legal challenge against the way it transfers EU user data to the United States was “deeply flawed” and should not be referred to the EU’s top court because ample privacy protections were already in place.
The challenge by the Irish data regulator is the latest to question whether methods used by large tech firms such as Google and Apple to transfer data gives EU consumers sufficient protection from US surveillance.
The issue of data privacy came to the fore after revelations in 2013 from former US intelligence contractor Edward Snowden of mass US surveillance caused political outrage in Europe
Facebook says the case could lead to a breakdown in transatlantic data transfers that could knock EU economic output by up to 1.3 percent.
Ireland’s Data Protection Commissioner, which regulates Facebook as its European headquarters are in Dublin, found in May that a complaint about privacy protections in mechanisms Facebook uses to transfer data were “well-founded.”
It is asking the Irish High Court to refer the case to the Court of Justice of the European Union (CJEU), which would then decide whether to ban the use of “model contracts” – common legal arrangements used by thousands of firms to transfer personal data outside the 28-nation bloc.
A lawyer representing Facebook told the High Court that the case by the Irish regulator was flawed because it did not take into account the EU-US Privacy Shield agreement that came into force last August to address earlier concerns about US surveillance.
Under the agreement, the replacement for the Safe Harbour agreement struck down by the CJEU in 2015, the United States agreed to limit the collection of and access to Europeans’ data stored on US servers.
“How could you have a well founded concern about the protections that are available without having looked at it (privacy shield),” Paul Gallagher, representing Facebook, told the High Court.
“There should be no reference because the (Data Protection Commisioner’s) decision has been overtaken by events,” he said. “The decision is deeply flawed.”
Gallagher said that the level of transparency and the variety of protections in the United states “match anything in Europe” and said the court had not heard expert arguments on the quality of U.S. privacy protections.
The Irish commissioner’s office initially became involved after Austrian law student and privacy activist Max Schrems made a complaint in Dublin about Facebook’s handling of his data in the United States.
Schrems and other privacy campaigners contend that alternative arrangements such as model clauses don’t offer Europeans any means of redress either.
A lawyer representing Schrems, James Doherty, told the court that a referral to the European Court was “unnecessary or at least premature” as the Irish regulator had not fully investigated the complaint and had not used all tools in its power to restrict data flows where consumers’ rights were threatened.