Following former National Security Agency (NSA) contractor Edward Snowden's revelations in 2013 about the US government's PRISM surveillance program, which allowed the NSA to harvest swathes of data directly from big internet companies, campaigner Max Schrems (and 25,000 other social networkers) accused Facebook of illegally tracking their personal data and breaching their right to privacy.
*LOL* @facebook still on massive miss-information tour on Ireland and the Austrian Appeals Court. Multiple journalists really pissed off.:P— Max Schrems (@maxschrems) October 22, 2015
Since the headquarters of Facebook and Google are registered in Dublin, Schrems filed the case in Ireland — under EU law. But the High Court of Ireland rejected the complaint. Schrems appealed and the case was referred to the European Court of Justice in Luxembourg, where judges declared the European Commission's US "safe harbor" decision "invalid" and failing to provide adequate protection to users.
The so-called "Safe Harbor" agreement is a transatlantic system in which data from social media companies is transferred from the European Union to internet servers in the United States.
Ireland's High Court has now ordered an investigation into the extent personal privacy was protected when EU citizens' Facebook data was transferred to servers in the US, overturning the commissioner's initial refusal to investigate the case.
Paul Anthony McDermott, lawyer for the Irish Data Protection Commissioner (DPC) told the High Court in Dublin:
"My client will now investigate the matter…with all appropriate diligence."
The judge awarded costs to Schrems.
Facebook's barrister, Rossa Fanning told the court that the social networking site would "constructively engage" with any investigation.
The ruling by Europe's top court came as no surprise to big internet companies — but it has left the tech giants scrambling to overhaul their business models now that the case is back in Ireland.
Facebook denies providing the NSA access to its servers and says its transatlantic data processes have already been audited by the Irish Data Protection Commissioner.