Author: Sarah E. Hsu Wilbur
Case Citation: Data Prot. Comm’r v. Facebook Ir. Ltd. & Schrems, [2017] 2016 No. 4809 P. (H.Ct.)
Employee/Personnel/Employer Implicated: Facebook; Social Media Providers
eLesson Learned: Whether for eDiscovery purposes or otherwise, you should not attempt to obtain or transfer (or have your client transfer) personal data (including data from a social media account) of any EU citizens into or within the US without first checking to see whether obtaining or transferring such data would violate any EU privacy laws and expose you or your client to being sued.
Tweet This: Don’t try to get or send personal data of EU citizens before first checking to see if it violates any EU privacy laws!
In this case, Facebook subscriber Maximillian Schrems sued Facebook Ireland because he said Facebook Ireland transferred his personal data to Facebook Inc. in the US in violation of EU privacy laws. As brief background relevant to this case, in 2013, former NSA employee Edward Snowden went rogue and disclosed documents that showed the NSA operated the Internet and telecommunications systems of some major global tech companies including Facebook, thereby allowing the NSA to conduct surveillance on said companies. Schrems thus argued that in light of Snowden’s disclosures, Facebook Ireland transferring “his personal data to its US parent, Facebook Inc., for processing was unlawful both under national and EU law.” He argued that Facebook Inc. is subject to a number of laws and other orders that require it to disclose personal data of individuals to US authorities, which in and of itself violates the EU’s privacy laws, even if the US government never accessed his personal data.
Facebook Ireland did not deny that it transferred Schrem’s personal data and in fact continued during litigation to transfer Schrem’s and other EU-resident Facebook subscribers’ personal data to the EU. Facebook Ireland argued, however, it had the right to do this because of its data transfer and processing agreement with Facebook Inc. and because it had language that resembled the “standard contractual clauses” that basically operated as a safe harbor for companies transferring such personal data of EU citizens to other countries. “Standard contractual clauses” (SCCs) are an EU-approved mechanism to transfer personal data between US (or other non-EU countries) and EU countries, which clauses essentially guarantee that personal data of EU citizens transferred to a non-EU country pursuant to those clauses enjoys the same amount of protection that the EU provides for that data. In other words, they ensure “adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals,” including EU resident Facebook subscribers, and are approved under current EU data privacy laws. Schrems argued that a company such as Facebook using the SCCs and transferring his personal data and that of other EU citizens to the US does not provide the same privacy protections as the EU offers and therefore violates EU law. The Data Protection Commissioner investigated the case and agreed with Schrems.
The High Court of Ireland decided in favor of Schrems, concluding that the laws and practices of the United States “do not respect the essence of the right to an effective remedy before an independent tribunal as guaranteed by [EU law], which applies to the data of all EU data subjects transferred to the United States.” The Court reasoned that the validity of SCCs “cannot depend on the automatic exercise of a discretionary power,” reasoning that the EU recognizes a right to data privacy as a “fundamental right and freedom,” unlike in the United States. Thus, following this decision, it is unclear whether SCCs continue to be a valid way to transfer personal data to third countries.
This decision impacts eDiscovery in the US for cases that involve parties who are EU citizens because of the strict EU data privacy laws that apply to those parties. When dealing with EU citizen parties from whom you may need eDiscovery or if you need eDiscovery that includes the transfer of personal data of EU citizens or personal data that is stored in the EU (particularly personal data found on a social media site), you should always check the current EU privacy laws and recent decisions involving personal data of EU citizens to make sure you are requesting the information in a lawful way. Be careful in framing the requests for this information and in requesting this information in the first instance so as not to risk yourself or your client to possibly being sued for violating EU data privacy laws. Keep in mind you may not be able to obtain this information unless an exception like consent or national security applies.
Sarah is a Seton Hall University School of Law student (Class of 2018), pursuing an Intellectual Property concentration through the Privacy and Security Law Track. After graduating, she will begin working as a Litigation Associate in a large Manhattan law firm. Sarah graduated from the University of Florida in 2009 with a B.S. in Journalism, and she worked as both a multimedia journalist and a legal assistant before attending law school.
Want to read more articles like this? Sign up for our post notification newsletter, here.