Facebook has failed in a last-ditch attempt to delay a major privacy case’s journey to Europe’s top court.
Last year, the Irish High Court said that it would ask the European Court of Justice (ECJ) to decide whether the legal mechanism Facebook uses to send European’s personal data over to the U.S. is valid or not.
The case in question was brought about by Facebook’s arch-nemesis, the Austrian law student Max Schrems, who has already succeeded in sinking the Safe Harbor agreement that gave U.S. firms a simple way to import the data of people from the European Union. As before, he is concerned that U.S. intelligence programs break Europeans’ privacy rights.
Since Safe Harbor was sunk, Facebook has relied on so-called “standard contractual clauses” for its transatlantic data transfers, along with the Privacy Shield data-sharing scheme that replaced the earlier agreement. The Irish High Court’s referral to the ECJ only specifically asks the European court to clarify whether standard contractual clauses are valid or not, given the existence of U.S. mass surveillance programs such as PRISM, but the ECJ may also choose to decide on the validity of Privacy Shield.
That makes this case an extremely big deal, and not just for Facebook. If standard contractual clauses and Privacy Shield are struck down, most U.S. firms will no longer legally be able to import Europeans’ personal data.
On Monday, the company tried to delay the referral of the case to the ECJ, so it could appeal the case to the country’s Supreme Court.
However, on Wednesday the High Court turned down Facebook’s request. It sided instead with the Irish privacy watchdog, the Data Protection Commissioner, which said any delay could create a “risk of injustice” by allowing the data of millions of Europeans to be processed unlawfully.
“In my opinion very real prejudice is potentially suffered by Mr. Schrems and the millions of EU data subjects if the matter is further delayed by a stay as sought in this case,” said the judge. “Their potential loss in unquantifiable and incapable of being remedied.”
Schrems told Fortune that, while the case will now head off to the ECJ, Facebook will “probably fight for the next year to get it pulled back.”
Indeed, Facebook later said in a statement: “We are disappointed not to have been granted a stay on the preliminary reference being made to the [ECJ]. We intend on continuing with seeking leave to appeal the High Court’s decision to the Irish Supreme Court.”
The reason companies in the U.S. need these special arrangements to import EU citizens’ data is that the U.S. does not have privacy laws that are equivalent to those in the EU. That means companies in the U.S. have to say that they respect EU-grade privacy rules, even if their country as a whole does not.
This article was updated to include Facebook’s statement.
