(Reuters) – Ireland’s data regulator defended its provisional order to halt Facebook user data transfers to the United States from the European Union, telling the Irish High Court on Thursday such decisions were not typically subject to court oversight.
Ireland’s Data Protection
Commission, the EU’s lead regulator for Facebook, issued the order in August after Europe’s highest court ruled that a transatlantic data transfer framework known as Privacy Shield was invalid.
Facebook called for a judicial review of the commission’s decision and in September Ireland’s High Court temporarily froze the order to allow such a review, which began on Tuesday.
The EU is concerned that the surveillance regime in the United States may not respect the privacy rights of EU citizens once their personal data is sent there for commercial use.
Facebook told the High Court this week that the EU Court of Justice ruling on Privacy Shield in July alone did not justify a halt to transatlantic data flows, which it says would lead to “devastating” consequences for its business.
It also said the Irish regulator had failed to hold a full investigation into transatlantic data flows and had not given it enough time to respond.
A lawyer for the Irish regulator said on Thursday that the decision to halt flows had been based in part on findings by the European Court and the Irish Supreme Court as well as its own investigations prior to the July ruling.
“There is simply nothing in the point that there is some fatal absence of investigation prior to the draft decision being published,” Michael Collins told the court.
Collins rejected the Facebook argument that the evidence considered by the Irish and EU courts was out of date, saying Facebook had not offered any evidence that the legal situation in the United States had changed in the meantime.
The European court decision indicated that a legal mechanism used by Facebook for transfers, the Standard Contractual Clause, was legal but not sufficient to demonstrate user data would be protected, without additional safeguards, Collins said.
He said Facebook was obliged to publish on its web site any additional safeguards it has put in place to defend the data privacy of EU users but had not done so.
The Irish regulator “was entitled to conclude that … there doesn’t appear to be any such additional safeguards”, he said.
“Courts generally don’t entertain judicial review challenges to provisional decisions,” Collins said, noting that the regulator had given Facebook 21 days to respond.
Facebook has said the regulator must hold a fresh investigation to ascertain whether the safeguards it has in place are sufficient to protect EU user’s data.
Reporting by Conor Humphries; Editing by David Clarke