A recent development in the ongoing legal challenge concerning Facebook’s data transfer practices sees European privacy advocate Max Schrems having secured a judicial review of how the Irish regulatory body is managing his formal complaint.

He anticipates the hearing will occur before the year’s end and expresses hope that this action will ultimately result in a halt to Facebook’s data transfers between the EU and the United States.

Schrems stated that his objective is to reactivate a complaints process that has been put on hold, following the Irish Data Protection Commission’s (DPC) decision last month to initiate a new case procedure while simultaneously suspending work on his initial complaint, which was originally filed seven years ago.

The original complaint gained renewed prominence after a ruling from Europe’s highest court this summer invalidated a key EU-US data transfer agreement, known as Privacy Shield, and raised concerns about the legitimacy of other methods used to send EU citizens’ data to the U.S. for processing, particularly when those processors are subject to U.S. surveillance laws, as is the case with Facebook.

Despite this, a decision on Schrems’ original complaint remains outstanding, prompting his return to court.

“The DPC had previously assured the Court in 2015 that it would reach a decision promptly. It appears a definitive judgment is necessary to compel the DPC to fulfill its responsibilities,” Schrems explained in a statement regarding the granted judicial review.

https://twitter.com/maxschrems/status/1315625962516680705

Facebook has already been successful in obtaining a judicial review of a preliminary order issued by the DPC last month, which aimed to suspend its data transfers to the U.S. A stay was granted on this preliminary order, meaning that data transfers continue without interruption, even as the regulatory process faces further legal challenges.

This stay also provided Facebook with additional time to engage with EU legislators to “resolve” the legal uncertainties surrounding EU-U.S. data transfers. Notably, Facebook’s VP, Nick Clegg, participated in a live debate last month, forecasting negative economic consequences for the region’s smaller businesses should Facebook be forced to suspend these transfers. (Clegg also asserted that Facebook’s “personalized advertising” practices would be crucial for Europe’s economic recovery from the coronavirus pandemic, without acknowledging the availability of alternative, less intrusive advertising methods…)

It is clear why Schrems is dissatisfied with the transformation of his 2013 complaint into a prolonged regulatory process that allows Facebook to maintain its data collection activities without constraint.

In a press release from his privacy advocacy organization, noyb, Schrems stated: “Today’s Judicial Review by noyb is, in many respects, the counterpart to Facebook’s Judicial Review: While Facebook seeks to obstruct the second procedure initiated by the DPC, noyb aims to advance the original complaints procedure towards a resolution.”

“The DPC initiated a second case, effectively attempting to remove the complainant from the first case. This second case was then stalled by a lawsuit from Facebook within weeks. This constituted a clear case of procedural mismanagement by the Irish regulator. We are now attempting to restart the original procedure from 2013 to finally obtain a decision from the DPC after seven years and five court rulings that have consistently supported our position,” he added in the statement.

Schrems/noyb is also leveling a more direct accusation against the regulator, alleging that they have seen documentation suggesting Facebook has been utilizing alternative data transfer mechanisms to send EU users’ data to the U.S. — and claiming the regulator has been aware of this since 2016, yet failed to disclose the information.

“The documents we have received indicate that seven years of proceedings and both references to the European Court of Justice were largely inconsequential to the case before the DPC,” Schrems wrote, accusing the regulator of concealing documents from the Courts and his legal team “despite our entitlement to access all case files”. “We are therefore requesting the High Court to clarify that all documents must be presented, all parties must be properly heard, and a swift decision must then be made,” he further stated.

The DPC was contacted for comment but declined to address specific points at this time. Deputy Commissioner Graham Doyle stated: “As you can see, Mr Schrems’ application to the Court this morning was made ex parte, meaning that any arguments presented were unchallenged. We will outline our position when we submit our own response to the Court.”

Ireland’s regulator is frequently criticized for its slow pace in enforcing the bloc’s data protection regulations against major technology companies and platforms, many of which have established their regional headquarters in the country — meaning their data handling practices typically fall under the DPC’s oversight. (This, in turn, results in a substantial backlog of complex, cross-border cases requiring investigation and decision-making.)

More than two years after the GDPR became enforceable, the DPC has only submitted one draft decision in cross-border cases (related to a Twitter security breach) — which is still awaiting approval from the EU’s other data protection authorities.

Numerous other cases remain pending on its agenda.

A Commission review of GDPR conducted in June highlighted a lack of consistent and robust enforcement, with lawmakers acknowledging: “The most effective response [to criticism of GDPR’s failure to regulate large tech companies] will be a decision from the Irish data protection authority regarding significant cases.”

Separately, Irish parliamentarian Malcolm Byrne recently raised concerns in the senate regarding another long-standing complaint that is currently awaiting review by the DPC — concerning Google and the real-time bidding process used in programmatic advertising — which also remains an open investigation.