Irish data protection regulators should have investigated allegations first raised by Edward Snowden that Facebook Inc. (FB:US)’s Irish unit transfers data to U.S. spies, a lawyer for an Austrian student told an Irish court.
Max Schrems, a law student at Vienna University, is challenging the Irish Data Protection Commissioner’s refusal to investigate whether his data was sent by Facebook to the U.S. National Security Agency. He cited a document leaked by Snowden, a former security contractor, and published in the Guardian newspaper, as “probable cause” that Facebook may allow U.S. spies to access its servers.
The Irish regulator “was not entitled to turn a blind eye to the revelations of Edward Snowden and publication of those revelations,” Schrems’ lawyer, Paul O’Shea, said at a court hearing today.
Companies that allow U.S. spy agencies to gain access to data on European Union citizens may violate data-protection law, a group of European regulators said earlier this month. Mark Zuckerberg, Facebook’s chief executive, called U.S. President Barack Obama to express frustration over government spying, he wrote in a post last month. Company engineers “work tirelessly” to improve the site’s security, he said.
Facebook declined to comment on an ongoing legal case, Richard Appleton, an external spokesman for the Menlo Park, California-based company, said in an e-mail. Zuckerberg said last year that Facebook “is not and has never been part of any program to give the U.S. or any other government direct access to our servers.”
Ireland’s data-protection authority is in charge of Facebook’s compliance with EU data-protection law because the social network owner’s European headquarters are located in Dublin. Facebook’s Irish unit is responsible for the business outside of the U.S. and Canada.
Ireland’s Data Protection Commissioner told Schrems it couldn’t probe his complaint because it was “frivolous and vexatious.” Schrems previously made 22 complaints about Facebook’s compliance with EU privacy rules, such as the company keeping photos on its servers after they’d been deleted.
Schrems’ complaints helped trigger a 2011 audit by the data-protection regulator to check Facebook’s compliance with EU privacy rules.
The Data Protection Commissioner still hasn’t made final decisions on the complaints Schrems made in 2011, Catriona Holohan, a spokeswoman for the Portarlington, Ireland-based regulator said in an e-mail. Draft decisions may be issued in the coming months and Schrems can then make an appeal to the Irish courts, she said.
Regulators in Germany have criticized Ireland’s handling of Schrems’ complaints. The data protection commissioner for the state of Schleswig-Holstein said in 2011 that he couldn’t understand’’ why the Irish agency’s report on Facebook listed privacy problems, but didn’t declare them illegal. Hamburg’s data protection authority has said some of the Irish agency’s recommendations were fare “unclear.”
To contact the reporters on this story: Aoife White in Brussels at firstname.lastname@example.org; Donal Griffin in Dublin at email@example.com
To contact the editors responsible for this story: Anthony Aarons at firstname.lastname@example.org Mark Beech