This prompted Schrems to file a complaint about Facebook's handling of his data -- in Ireland, because that's where the Facebook subsidiary legally responsible for European users' personal information is based. The Data Protection Commissioner dismissed his complaint, and Schrems, unsatisfied, appealed to the High Court of Ireland, which in turn referred questions about the interpretation of the 1995 directive to the Court of Justice of the European Union.
The CJEU replied very broadly to the Irish court's questions, affirming that national data protection authorities had not just a right but an obligation to investigate complaints like that of Schrems even if they called into question deals made by the European Commission such as Safe Harbor Agreement -- and then declared that agreement invalid.
The European Commission and the national data protection authorities put a brave face on it, saying that they were close to finalizing a stronger data protection agreement with U.S. authorities, giving companies reliant on Safe Harbor a three-month grace period in which to make alternative arrangements -- and reminding everyone of the alternate legal mechanisms that Safe Harbor was brought in to simplify.
While the CJEU's ruling specifically targeted Safe Harbor, it raised doubts in the minds of legal scholars about the validity of the other legal mechanisms to protect data transfers. German regional data protection authorities like the one in Hamburg were so concerned, they refused to issue new authorizations to use such mechanisms, and said they would audit and even prosecute companies that did not have appropriate protections in place. The safest place for Europeans' data, they said, is in Europe.
Schrems' latest complaints make that same point, seeking to demonstrate that no legal mechanism available to Facebook Ireland can oblige or enable its U.S. parent company to protect his personal information to the extent required by EU law.
Facebook has repeatedly said it is not concerned by the demise of Safe Harbor because it relies on other legal mechanisms to enable the export of its customers' data, while declining to specify what those mechanisms are.
It now appears, though, that since November 2013 the company has been relying on a binding corporate rule, which it updated on Nov. 20. A few days before Schrems filed his updated complaint -- and some six weeks after he requested the information -- Facebook provided his lawyers with a copy of its contract with Facebook Ireland governing the exchange of data.
Facebook did not respond to a request for comment on Schrems' complaint, or to questions about its response to the CJEU's ruling.
Sign up for CIO Asia eNewsletters.