IThe American Internet company Facebook has won a stage victory in a dispute with the Irish Data Protection Authority. On Monday evening, the Irish High Court suspended the Data Protection Commission’s investigation into possible violations in the transfer of data to the United States. It has not yet been linked to an assessment of the content of the allegations. It is clear that Irish judges are concerned about the actions of the supervisory authorities. A Facebook spokesman welcomed the Irish court’s decision. “International data transfer is the foundation of the global economy and supports many of the services that are fundamental to our daily lives,” she said.

This is a new twist on a process that has far-reaching implications for many other companies that process corporate data or customer information about IT providers in the United States. The social network Facebook is just one prime example, but ultimately it affects companies that use American e-mail platforms or even cloud providers. Last week, the Irish Data Protection Authority was surprised by the news that it was initiating proceedings against the American group, after years of inactivity, in which it questioned the terms of the standard contract used for data processing.

An impact from the ECJ

Ireland has a different history of this intervention: this case was the emotional verdict of the European Court of Justice, which in July caused a stir beyond Facebook. In it, European judges declared the European Data Protection Agreement (“Privacy Shield”) with the United States a violation of European law because it did not provide EU citizens with adequate protection against data protection violations, for example in the United States. It affected more than 5,000 companies that relied on the agreement for data transfer.

However, the implications of judges’ discipline in relation to EU standard treaty provisions are far-reaching. Criticism of European judges extends to these model clauses, which make it available to EU companies to create legal guarantees. The judges did not declare these ineffective, but there remains great uncertainty about the legal implications thereafter. Companies that use these phrases are currently living at the risk that supervisory authorities will intervene against them under personal circumstances. It just happened on Facebook.

Time also came as a surprise. A working group of the European Data Protection Board is currently in the process of evaluating the practical implications. The European Commission and the US Secretary of Commerce are discussing how to regulate Atlantic data traffic in the future. However, a solution is not in sight, because the problem lies in very different data protection: the strict rules of the European General Data Protection Regulation have been in effect in Europe for more than two years, although the US secret services and law enforcement authorities have far-reaching powers.