The fallout from Edward Snowden’s NSA surveillance revelations continues to jeopardize U.S. tech firms’ European operations.
On Tuesday, the Irish High Court said it would ask the European Union’s top court to decide whether Facebook (FB) can continue to send Europeans’ personal data to its U.S. operations. And whatever the Court of Justice of the European Union (CJEU) decides will have major implications for many companies, not just Facebook.
Facebook has been relying on a legal mechanism called “standard contractual clauses” for its transatlantic data flows, ever since the CJEU cancelled the so-called Safe Harbor data-sharing agreement between the EU and the U.S. The court struck down the deal largely because it did not guarantee the safety of Europeans’ personal data from the U.S. National Security Agency (NSA) and its PRISM program.
That ruling came in a long-running case brought against Facebook by an Austrian law student named Max Schrems, who was concerned about the privacy of the personal information he puts onto the social network.
Schrems continued his fight after the Safe Harbor ruling, turning his attention to Facebook’s use of standard contractual clauses to send user data from its subsidiary in Ireland—where its EU operations are based—to the U.S. mothership.
Specifically, he wanted the Irish privacy regulator to declare that Facebook was breaking the terms of the mechanism as it could not stop the NSA from rifling through his communications.
However, the Irish data protection commissioner went a step further by challenging the validity of the entire mechanism, on the basis that singling out Facebook would be unfair. It went to the High Court, which has now thrown the issue back to the CJEU due to its importance.
The upshot is that—if the CJEU nixes all standard contractual clauses between EU and U.S. companies—Facebook and a lot of other online communications companies will find themselves on extremely shaky legal ground. It’s possible that they will have to stop sending personal data across the Atlantic altogether.
Safe Harbor, which allowed U.S. firms to assert that they uphold EU-grade privacy standards, has since been replaced by a similar deal called Privacy Shield, but that too is being challenged as it also doesn’t stop the NSA from snooping around EU citizens’ data held on U.S. servers.
A Facebook spokesperson said there was “no immediate impact” on the people and businesses using the company’s services.
“Standard contract clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the U.S. or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption,” the spokesperson said.
Schrems welcomed the judgement, saying it was “important that a neutral court outside of the U.S. has summarized the facts on U.S. surveillance in a judgement.”
“U.S. law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that,” he added. “As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”