irish dpc bill eu-us transfer

Irish DPC to cover € 2.9M of legal bill of EU-US data transfer case

DPC ordered to pick up most of the legal bill of EU-US data transfer case

Today, the Irish High Court has ordered the DPC to cover the costs of Mr Schrems’ legal team in relation to this summer’s decision on EU-US data transfers before the Court of Justice of the European Union (CJEU). The DPC is not entitled to their costs from Facebook, except the cost for three court days will have to be covered by Facebook.

Background. Mr Schrems filed a complaint against Facebook in 2013 in the wake of the disclosures by Edward Snowden on Facebook’s cooperation with the US Security Agencies, like the NSA.

After a first trip to the CJEU in 2015 on the “Safe Harbor” Decision, the Irish DPC filed another lawsuit against Mr Schrems and Facebook to “clarify” the interpretation of EU law.

5 years, 6 weeks, 45.000 pages. The second case ran for more than five years before three courts in Ireland and on EU level. Up to 25 solicitors and barristers attended the hearings before the Irish High Court. More than 45.000 pages of documents were submitted by Facebook and more than six weeks of hearings were necessary to deal with the different arguments. In particular, Facebook took every option to expand and delay the procedure.

Mr Schrems ultimately succeeded with his arguments against the Irish Data Protection Commission (DPC) and Facebook before the CJEU. He is now entitled to at least have his legal costs from the plaintiff (the DPC) covered under the “loser pays” principle.

Max Schrems: “I filed a short complaint and suddenly I was named as defendant in an extremely complicated case that was to a large part not necessary in my view. Our arguments ultimately succeeded at the European level. The DPC now has to pick up the legal bill for this case, other than three days that Facebook needs to pay.”

Costs Decision. The court decided today that the DPC has to recover all costs of Mr Schrems, but that Facebook has to recover the DPC’s and Mr Schrems costs for three days of the hearings. In these three days Facebook as unsuccessfully tried to amend the judgment by the High Court. Today’s decision is a decision in principle, while the exact amounts of legal costs will be determined at a later stage. No damages or other payments were sought by Mr Schrems. The recovery he sought is purely to cover the costs of his legal representation and necessary expenses.

About € 2.9 Mio have already gone to the DPC’s own lawyers in the EU-US data transfer litigation (Link). These costs will ultimately have to be covered by the Irish taxpayer, as the DPC was unsuccessful in the case and in the attempt to recover these costs from Facebook, other than three days of the more than six weeks of hearings. The DPC’s 2021 budget was increased to €19.1 Mio, tenfold within seven years. Nevertheless, the DPC’s lawyer bill for this case alone amounts to 15% of the DPC’s budget for 2021.

Max Schrems: “I worked countless unpaid hours on this case. The costs that we now seek are the external costs for the necessary legal representation by solicitors and barristers in Ireland that had to deal with five years of court hearings and more than 45.000 pages of documents. Instead of making a decision already in 2015 the DPC has invested Millions into a case that has delayed the procedure for five years and that they have ultimately lost. The Irish taxpayer now has to pick up parts of the bill for this exercise.

No decision by DPC after 7 years and 5 judgments. The second reference to the CJEU has apparently not brought the necessary “clarity” required by the DPC. Despite the enormous costs: The data protection watchdog has refused to determine Mr Schrems’ complaint, despite the CJEU judgment.

Instead of making a final determination after seven years, the DPC decided to start a second inquiry into Facebook. Facebook immediately obtained a Court Order restraining the DPC from proceeding with a new inquiry until the Court determines its legality. Mr Schrems, in turn, filed legal actions to finally get his case decided. The three parties will therefore see each other again in December and January to have the Court decide on the next steps.

Max Schrems: “Kafka could not have made this procedure up. Five Courts have dealt with this complaint for over seven years. We have won at every stage, but the DPC had still not decided on a complaint from 2013. It is either total mismanagement of the procedures or simply unwillingness to do their job – either way the situation is highly problematic.”

Source: noyb

Photo by Robert Anasch on Unsplash

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on print
Share on email

Latest Blog Posts

dpa gdpr

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They

Read More »

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data