Following a ruling of the high court of Ireland yesterday, the Irish Data Protection Commissioner agreed to inspect accusations that Facebook exposes the personal data of its users to mass snooping by US intelligence services. Maximilian Schrems, an Austrian Facebook user, filed a complaint with the DPC in 2013 that Facebook did not respect EU and Irish privacy law.
At first, the DPC dismissed the complaint, leaving Schrems to challenge it in the Irish high court. The DPC said that Facebook abided by the terms of the Safe Harbour agreement. Since the agreement was made by the European Commission under the terms of the EU directive that informed Irish law on the matter as well, the DPC had nothing to investigate.
Schrems asked the Irish high court for a review of the DPC's decision and they asked the Court of Justice of the EU to rule about whether national data protection authorities had the power to challenge the European Commission's ruling that the Safe Harbour agreement provided enough protection under EU law. The CJEU responded to the Irish high court's questions and decided earlier this month that national data protection authorities had a task to investigate complaints even when concerning decisions of the European Commission.
The Safe Harbour agreement forbids Facebook and many other companies from forwarding data to third parties with giving their users notice and a choice in the matter. There was an exception for reasons of national security, but Schrems asked the DPC to inspect whether Facebook's alleged granting of access to the NSA met the requirement or was voluntary.
A Facebook representative said, “Facebook is not and has never been part of any programme to give the US government direct access to our servers.”