Ireland’s privacy watchdog wants the European Union’s highest court to determine whether it’s legal for Facebook (FB) to be transferring EU customers’ data to the U.S. for processing under a mechanism known as “standard contractual clauses.”
This isn’t just about Facebook—it could be very bad news for many U.S. multinationals with a European presence.
In many ways, this is Groundhog Day. Remember last year’s annulment of the EU-U.S. deal that let American firms easily process Europeans’ data? That was down to a ruling in a very similar case involving Facebook—with the same complainant, an Austrian law student called Max Schrems.
Get Data Sheet, Fortune’s technology newsletter.
Schrems wanted the Irish data protection commissioner (DPC) to investigate Facebook’s data transfers to the U.S., because he was worried about the mass surveillance revelations of Edward Snowden. The watchdog refused, and the case went up to the European Court of Justice (ECJ), which killed the “Safe Harbor” arrangement that Facebook and many other tech firms used to serve EU citizens. Crucially, the court also ordered the Irish DPC to stop blanking Schrems.
Safe Harbor is now being replaced (in theory) by a tougher new deal called “Privacy Shield,” but in the meantime U.S. firms that want to serve European customers and deal with the information of their EU employees have to use a small selection of other legal mechanisms.
Facebook is using a tool called “standard contractual clauses” or “model clauses” or “model contracts” (which it’s had in place for ages as a backup) to stay on the right side of the law. Now the Irish DPC isn’t sure if this mechanism is legal either.
Specifically, Schrems has pointed out to the DPC that these model clauses don’t give European citizens an adequate way to complain if a U.S. agency taps into their data. This looks like a contravention of EU fundamental rights, so the watchdog is looking for answers at the highest level.
“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data,” the DPC said in a statement. “We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the [ECJ] to determine the legal status of data transfers under standard contractual clauses. We will update all relevant parties as our investigation continues.”
According to Schrems, this was inevitable.
“All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with,” he said in a statement. “As long as the U.S. does not substantially change its laws I don’t see [how] there could be a solution.”
For more on Facebook, watch:
Facebook pointed out that the question is relevant to many more companies than itself. “Thousands of companies transfer data across borders to serve their customers and users,” it said in a statement.
“While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish [DPC] in its investigation. Standard contract clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.”
Those “other legal methods” are getting thinner and thinner, though. Fortune understands the consent of the user is a key mechanism here, and that is legally shaky due to the issue of how informed that consent can be where surveillance is involved.
The Privacy Shield deal could provide a solution, assuming it actually happens. The European Commission and the U.S. want it to happen, but Europe’s privacy regulators are dissatisfied with American promises to limit mass surveillance to specific circumstances, as well as with the complaint mechanisms envisioned for Europeans dealing with the U.S. system.
What’s more, a draft resolution from the European Parliament backs up the regulators. A separate committee representing EU countries is also yet to give its approval to the deal.
“Europe risks drifting into data isolation as its tools for data transfers to the world are increasingly challenged,” said Christian Borggreen, the international policy director for tech trade body the Computer & Communications Industry Association (CCIA Europe). “We urgently call for the adoption of a strengthened EU-US Privacy Shield to restore companies and consumers’ confidence in transatlantic data flows.”