EU court to probe new Facebook data challenge

Max Schrems, an Austrian privacy campaigner who had initially challenged Facebook in light of the US surveillance, said in a statement that the internet giant "seems to have lost in every argument they were making."

The five-week hearing had scoured through some 45,000 pages of documents in a move that appears to suggest that the United States may be violating the fundamental rights of Europeans.

Mass indiscriminate processing of data

The Irish court in its judgment said that "it is clear that there is mass indiscriminate processing of data by the United States government agencies, whether this is described as mass or targeted surveillance."

It noted that the "case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond".

EU law requires that the personal data of Europeans is "adequately protected" whenever it is transferred outside the European Union.

But the US spy hub, the National Security Agency (NSA), has been sweeping up and processing the same data regardless of EU laws, according to disclosures by US intelligence contractor Edward Snowden. The revelations sparked outrage throughout Europe.

Facebook's international seat is in Dublin. The Irish-based headquarter deals with over 85 percent of global Facebook users, which is then sent to its parent company in the United States for processing.

Facebook and similar US tech giants have been forced into a legal dilemma - to either comply with NSA demands or follow EU laws. The data transfers are worth billions to the companies.

Safe Harbour vs Privacy Shield

The European Court of Justice in 2015 had already knocked down a EU-US data sharing pact known as Safe Harbour, due in part, to mass surveillance.

The scheme has since been replaced by Privacy Shield, which itself has come under intense scrutiny given the lack of US efforts to fully implement the self-certifying agreement.

Tuesday's judgment refers to so-called standard contractual clauses that also allow the data transfers to take place.

Facebook Ireland started using the clauses with its parent US-based Facebook Inc after Safe Harbour became invalid.

The clauses have a built-in emergency feature that allows local European data protection authorities to stop the data flows, should the personal data of Europeans be violated while in the United States and elsewhere.

Schrems had argued that the Irish Data protection authority at the time was duty bound to trigger the emergency clause, given the NSA revelations.

But Tuesday's judgment now questions the validity of the standard contractual clauses in general, which had been approved by the European Commission.

Ireland's data protection commissioner, Helen Dixon, had probed Schrems complaint in 2016 and found his arguments against his data being transferred to the US compelling.

But she then questioned the validity of standard contractual clauses themselves, going beyond Schrem's initial complaint.

Schrems said such clauses are valid as they allow data protection authorities to suspend individual problematic data flows.

"It is still unclear to me why the DPC [data protection commissioner] is taking the extreme position that the SCCs [standard contractual clauses,] should be invalidated Facebook across the board, when a targeted solution is available," he said.

The Luxembourg-based court is set to receive the exact questions from the Irish High Court to be probed at a later date.