Case opening this week in European Court of Justice could invalidate legal basis for transfer of citizens’ data to any country outside the European Union
Facebook is to contend with privacy challengers in the EU’s top court on Tuesday, in a case that could have broad implications for thousands of companies that transfer EU citizens’ data to other countries.
The case calls into question a legal mechanism known as standard contractual clauses, used by Facebook and others as the legal basis for such data transfers.
Such transfers are broadly used for everything from email to a range of basic online services, in cases where servers may be based outside the European Union.
The case, brought by Austrian privacy lawyer Max Schrems, is a continuation of a legal battle with Facebook that in 2015 saw the European Court of Justice (ECJ) strike down an agreement known as Safe Harbour, which had been used since the turn of the millennium to transfer EU data to the US.
In the wake of Edward Snowden’s disclosures of US mass surveillance – of which Facebook was revealed to be a specific target – the ECJ found that Safe Harbour was invalid, since it was exposing EU citizens’ personal information to mass data collection by the US’ National Security Agency (NSA).
In the wake of that decision, the US and the EU reached another arrangement known as the Privacy Shield, which includes additional privacy protections for EU citizens and allows them to make complaints in the US.
While Privacy Shield operates specifically between the US and the EU, standard contractual clauses are much broader, covering transfers from the EU to any other jurisdiction around the world.
Used by companies in about 190 countries, they are more complex to set up than Safe Harbour or Privacy Shield.
When Safe Harbour was first struck down Facebook already had such clauses in place, and so was able to fall back on them to continue doing business in Europe, without the need for any significant changes.
That is exactly the problem being addressed in the case currently before the ECJ: campaigners argue that nothing essential has changed, and that Facebook is continuing to expose EU citizens’ data to a surveillance risk by transferring it to the US.
Schrems says that all along, he has been pushing the court in Ireland – the location of Facebook’s EU headquarters – simply to enforce existing privacy laws and force Facebook to properly protect EU citizens’ data.
“The Irish (regulator) must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over,” Schrems said in a statement on Monday.
“This case has been pending for six years… We don’t have a problem with standard contractual clauses; we have a problem with enforcement.”
The Irish data protection agency, on the other hand, has sought instead to shift the case’s focus onto the data transfer mechanisms in question, first Safe Harbour and now standard contractual clauses.
The 15 judges of the ECJ’s grand chamber are to examine those clauses this week and, if they are found to be failing to oblige companies to apply an EU standard of privacy protection, they may be invalidated entirely or altered into some other form.
Either result could cause significant disruption for the thousands of companies that use them and, potentially, for businesses and end users who make use of those companies’ services.
Industry watchers noted that when Safe Harbour was overturned, companies had a backup to turn to in the form of standard contractual clauses, but if those are invalidated as well, there is no obvious fallback solution to turn to.
The court is also to consider whether Privacy Shield is fit for purpose, meaning its decision is likely to affect that mechanism as well.
“The whole data transfer system would be impacted and could impact the global economy,” Linklaters data protection lawyer Tanguy Van Overstraeten told Reuters.
Facebook, which has long tried to stop the case from reaching the ECJ, emphasised the potential for disruption, noting that the clauses in question are used by Europeans “to do business worldwide”.
They “provide important safeguards to ensure that Europeans’ data are protected once transferred overseas,” said Facebook associate general counsel Jack Gilbert in a statement.
However, Linklaters technology and privacy lawyer Peter Church told Bloomberg it was “pretty unlikely” the court will uphold standard contractual clauses in their current form.
Such a ruling could expose companies to “significant compliance risks”, commented DLA Piper data protection lawyer Ross McKean.
A final decision from the ECJ is expected late this year or early next year.