On October 20, 2015, at a hearing in the Irish High Court, Irish Data Protection Commissioner Helen Dixon confirmed that she will investigate allegations made by privacy activist Max Schrems concerning Facebook’s transfer of personal data to the U.S. in reliance on Safe Harbor. Dixon welcomed the ruling of the High Court and noted that she would proceed to “investigate the substance of the complaint with all due diligence.”
In 2013, Schrems complained to the Irish Data Protection Commissioner (“DPC”) that Facebook’s transfers of personal data to the U.S. were unlawful. The DPC declined to investigate Facebook, on the basis that such an investigation was outside the DPC’s remit. Schrems sought judicial review of that decision and, in the course of hearing Schrems’ complaint, the Irish High Court referred several questions to the Court of Justice of the European Union (“CJEU”). In response to those questions, the CJEU determined that the European Commission’s Safe Harbor Decision is invalid.
In light of the CJEU’s judgment, the DPC’s investigation is expected to conclude that Facebook cannot rely upon the U.S.-EU Safe Harbor Framework as a lawful basis for transferring data to the U.S. The wider consequences for Facebook and other businesses that had until recently relied upon the Safe Harbor, however, remain to be seen. Hunton & Williams has provided further insight into the practical next steps that organizations should consider at this stage.