Facebook legal woes in Europe over the years have largely been due to the activism of one man: Max Schrems. And in the last couple of weeks, the Austrian lawyer has scored a couple more significant victories, convincing the supreme courts of both Austria and Ireland not to block his cases against the social network.
If the cases play out as Schrems hopes they will, Facebook’s business model in Europe could be torn apart—and thousands of other American companies could be caught in the crossfire.
Schrems’s latest win came Wednesday, when the Austrian Supreme Court rejected Facebook’s attempt to block his privacy case against it. Schrems claims Facebook’s privacy policies are invalid under EU privacy law, and that it doesn’t get valid consent from users for the processing of their personal information. And now he gets to sue the company over the issue, in his native country.
‘Illegal’ policies
Schrems says Facebook’s policies are illegal because it forces people to consent to Facebook’s processing of their data, if they want to use the service. The EU’s General Data Protection Regulation (GDPR) does not allow forced consent as a valid legal basis for data-processing.
Facebook initially convinced the Vienna Regional Court that the company could only be sued in Ireland, where its European headquarters are, but the Vienna Appellate Court and now the Austrian Supreme Court said anyone can sue Facebook for GDPR violations, wherever they are in the EU.
“I am very pleased that we were able to clarify this fundamental issue. We are now hoping for a speedy procedure now that the case has been pending for a good five years,” Schrems said in a statement.
Indeed, this case has been rolling on since 2014. Schrems originally tried to make it a class-action suit—a novelty in Europe—but he lost that part of the battle last year, so what’s happening now is purely Schrems vs. Facebook. It’s still an important case, though, as it will establish whether or not Facebook’s policies are legal under European law.
“If we win even part of the case, Facebook would have to adapt its business model considerably,” said Schrems.
Facebook declined to comment on the Austrian Supreme Court ruling.
Surveillance fears
Schrems’s other big win came at the end of May, when the Irish Supreme Court threw out Facebook’s attempt to block Ireland from referring another Schrems case to the EU’s highest court, the Court of Justice of the European Union (CJEU.)
This case could have an even bigger impact than the Austrian case, because it could shred the ability of any U.S. company to import and process Europeans’ personal data. That doesn’t just mean big tech companies—it also means companies who have employees in Europe and need to handle their information for corporate reasons.
To understand the Irish case, it’s worth rewinding to Schrems’s most seismic (thus far) victory against Facebook, almost four years ago—the CJEU’s striking down of Safe Harbor, a key data-sharing agreement between the EU and the U.S.
Normally, the EU only allows Europeans’ personal data to be exported to another country if that other country has privacy laws that are as strong as the EU’s laws are. The U.S. does not qualify on that front, but most of the big tech firms are American, so the European Commission had come up with the Safe Harbor agreement as a way to keep data flowing legally across the Atlantic. The deal allowed companies to self-certify that, even if the U.S. didn’t have strong-enough privacy laws, those companies would stick to EU standards regarding how they treat Europeans’ data.
Except, as the CJEU ruled, the deal was fatally flawed—the U.S. government could at any time force American companies to turn over all their foreign users’ data to intelligence agencies. So in 2015 the court scrapped Safe Harbor, forcing the Commission and the U.S. to scramble to come up with a replacement.
Privacy shield
That replacement was a very similar deal called Privacy Shield. And Schrems’s latest Irish case could sink it, along with another more complicated legal mechanism—”standard contractual clauses”—that companies such as Facebook rely on to send data from the EU to the U.S.
Again, the issue is whether Europeans’ data can be sufficiently protected under American surveillance laws, and whether Europeans have the ability to complain if they think their EU privacy rights have been violated in the U.S.
The Privacy Shield deal involved the U.S. promising to keep more of an eye on companies that sign up to the Privacy Shield register, and to limit how much the American authorities can access Europeans’ data. The question now is whether the U.S. is living up to those promises.
The CJEU will hold hearings in the case in the coming months.
More must-read stories from Fortune:
—How your privacy will be protected in the 2020 Census
—Does the SEC’s ICO lawsuit against Kik go too far?
—Microsoft removes face recognition photos amid privacy controversy
—Brainstorm Finance is almost here. Join us on the beach this month
—Listen to our new audio briefing, Fortune 500 Daily
Sign up for The Ledger, a weekly newsletter on the intersection of technology and finance.
