By EDRi

The Irish High Court has decided to review the lack of reaction of the Irish Data Protection Commissioner (DPC) in relation to the PRISM scandal.

This decision is a result of DPC’s reaction to student group Europe v Facebook (EvF) which had filed a complaint against Facebook Ireland Ltd, considering that it violated data protection laws by “exporting data” to its US-based parent company. “If a European subsidiary sends user data to the American parent company, this is considered an “export” of personal data. Under EU law, an export of data is only allowed if the European subsidiary can ensure an “adequate level or protection” in the foreign country,” stated EvF.

EvF also alleged that Facebook had cooperated with NSA within PRISM programme. However, in July 2013, DPC Billy Hawkes claimed that there was “nothing to investigate” as Facebook had acted within the terms of the “Safe Harbor” EU-US data-sharing agreement which allows transatlantic data transmission if US companies self-certify that they meet EU privacy requirements. The commissioner added that the agreement also permited data sharing if law enforcement authorities requested it.

Austrian data privacy campaigner Max Schrems, member of EvF, has challenged the refusal of the commissioner to investigate the Dublin-based Facebook subsidiary and asked him to investigate Edward Snowden’s allegations that it shared European user data with US authorities. He also asked DPC to investigate whether companies under its jurisdiction were in breach of EU data protection regulations. His complaint was dismissed as “frivolous and vexatious”.

“The DPC simply wanted to get this hot potato off his table instead of doing his job. But when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it,” said Schrems. With the High Court’s decision, the DPC must now react. EvF hopes for a ruling in the next six months.

Schrems has filed similar Prism-related complaints in several European countries, as the ones against Microsoft and Skype in Luxembourg and against Yahoo in Germany, which are still being investigated by the competent data protection authorities.

Facebook decision can be reviewed (24.10.2013)
http://www.irishtimes.com/business/sectors/technology/facebook-decisio…

Facebook ‘PRISM’ decision to be reviewed by Irish High Court (24.10.2013)
http://www.telegraph.co.uk/technology/facebook/10401419/Facebook-PRISM…

PRISM: Irish DPC’s Refusal to investigate Facebook being reviewed by High Court (24.10.2013)
http://www.europe-v-facebook.org/PA_24_10_en.pdf