top of page
Search

High Court of Ireland Lets Inquiry Into Facebook EU Data Transfers Proceed

  • May 14, 2021

Today, the Justice David Barniville of the High Court of Ireland issued a decision in Facebook Ireland, Ltd. and Data Protection Commission and Schrems, 2020 No. 617 JR, available at: https://noyb.eu/sites/default/files/2021-05/High%20Court%20Judgement%202021-05-14.pdf, which ruled on the application of Facebook and Schrems for judicial review of a preliminary decision by the DPC on whether Facebook was making lawful transfers of personal data of EU citizens. Facebook contends that the DPC's decision was unlawful under the GDPR because amongst other grounds, they did not conduct an investigation beforehand and because Facebook was not given sufficient time to make a submission to the DPC. Schrems stressed the importance for the DPC to act quickly under the GDPR and in light of the decision by the Court of Justice of the European Union in Schrems II. (See the Tip of the Night for July 22, 2020.)


Justice Barniville concluded that Facebook was not entitled to relief, but did request additional comments from counsel on the refusal by the DPC to provide information requested by Facebook.


DPC was found to have adequate reasoning for its decision to conduct an inquiry, and the procedure it followed was deemed to be adequate. Facebook was given reasons why the decision was made; it was given enough information to decide whether or not an appeal was needed; and the given reasons allowed for the court to conduct a proper review.


21 days was deemed to be a sufficient time period in which for Facebook to make submissions. ". . . that in addition to its obligation to respect the rights of the defence and to afford fair procedures, including the right to be heard, to those who are subject to an inquiry commenced by the DPC, the DPC also has significant obligations under the GDPR to act expeditiously in the exercise of its powers." Id. ¶ 262.


The DPC was found not to have acted ultra vires in breach of its obligations under the GDPR: ". . . I accept the DPC’s submission that in the absence of prescribed requirements for an inquiry . . . it is open to the DPC to gather information in a variety of ways, subject at all times to the overriding requirement of fair procedures as well as the other requirements contained in the GDPR concerning the need for expedition and due diligence." Id. ¶158.


The DPC was not required to wait for guidance from the European Data Protection Board in its pending examination of the Schrems II decision. "There is nothing in the GDPR concerning the establishment and functions of the EDPB which would impose such an obligation upon the DPC or preclude it from proceeding with the inquiry. On the contrary, I am satisfied that there is nothing in the GDPR which would support the contention that the absence of guidance from the EDPB amounted to a bar on the DPC commencing and proceeding with the inquiry." Id. ¶ 346


Justice Barniville also ruled that the DPC had not breached a duty of candor owed to Facebook, and that allegations of an abuse of process brought by the DPC against Facebook, and then withdrawn, were baseless and should have been withdrawn sooner.


This decision allows the inquiry by the Data Protection Commission to proceed against Facebook, and potentially halt transfers of personal data outside of the European Union.






GDPRHub / NOYB

  • Feb 5, 2021

Max Schrems, the plaintiff in the case in which the EU Court of Justice ruled that the European Union/United States Privacy shield was inadequate under the GDPR for data transfers, has started an organization, NYOB (None Of Your Business) which files GDPR related complaints. NOYB has created a site, GDPRHub to organize information related to the GDPR.


The site posts decisions (and summaries of those decisions) by European data protection authorities and the courts of various countries in the EU.




The site also provides outlines for the data protection laws in each European Union member country.



GDPRHub is still a work progress, but it's a good way to get a quick handle on GDPR related caselaw.


NOYB filed a complaint with France's Commission nationale de l'informatique et des libertés (CNIL) which led the commission to issue a 50 million euro fine on Google for failing to gain users' consent to process data.

Digital Services Act and Digital Markets Act

  • Dec 22, 2020

The European Union announced the Digital Services Act and Digital Markets Act this month. The proposed legislation is designed to prevent Big Tech from competing unfairly with small businesses. A fine of ten per cent of total revenue would be assessed for violations of the regulations. Google, Apple, and other large companies would be prevented from ranking their products ahead of others, and from banning smaller companies from their marketplaces. In some cases, big companies would have to share their data with smaller competitors.


The larger players may also be prevented from pre-installing their software on devices.


Big Tech companies may face fines of as high as 6 per cent of global revenue for disseminating illegal content. Independent auditors would be appointed to monitor the data of Big Tech companies.


If the DSA and DMA become law, the way the digital economy functions will be transformed.




Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page