One Transatlantic Data-Sharing Pact Is Already Dead. Today’s Case Against Facebook Could Kill Another
In 2013, NSA contractor Edward Snowden revealed to the world how, among other things, the U.S. was forcing tech companies to give American spies access to the data of millions of people around the globe, through a program called PRISM.
That revelation is still emitting shockwaves some six years later.
The U.S. surveillance efforts have landed American companies under the microscope in the European Union, putting in question their ability to continue to import the data of people—customers, users and employees—in the bloc. The pressure upended one transatlantic data-sharing agreement, but firms managed to preserve the stream of digital information. They face a new threat come Tuesday.
That’s when EU’s top court will hold a hearing in a landmark case against Facebook that could change the privacy landscape for the world’s biggest online platforms—and numerous multinationals to boot.
The Court of Justice of the European Union in Luxembourg will consider this vital question: all these years after Snowden, if U.S. companies still cannot guarantee the privacy rights of Europeans when it handles their data, should that mean an end to the trans-Atlantic data flow?
At the center of this debate is an Austrian lawyer named Max Schrems, who in 2011 was an exchange student at Silicon Valley’s Santa Clara University. During his time there, a Facebook privacy lawyer spoke to his class, and Schrems realized the lawyer had little respect for Europe’s relatively tough data protection rules.
So began Schrems’s crusade to get Facebook to clean up its act.
Schrems, now 31, lodged a series of complaints with the data protection authority in Ireland, where Facebook’s international headquarters are based. He proved quite successful too, as an audit prompted by his complaints resulted in Facebook disabling its facial recognition software in the EU.
In 2013, following the Snowden revelations, Schrems made another complaint about Facebook’s inability to protect his information from American intelligence, arguing that Facebook could not legally send his data from Europe to its U.S. base.
The adequacy question
The Irish privacy authority initially said it couldn’t investigate Schrems’s complaint because of a 2000 agreement between the U.S. and the EU called Safe Harbor.
Under EU law, Europeans’ personal data isn’t supposed to be sent to a country outside the bloc unless that country has similarly tough data protection laws. This isn’t true of the U.S., but since the biggest online firms are based there, Safe Harbor served as a kind of legal Band-Aid: under it, American firms could self-certify that they adhere to EU-strength privacy rules, even if their country does not.
Facebook had taken this pledge, so the Irish privacy watchdog claimed it couldn’t deal with Schrems’s privacy complaint. He fought back, and the case went up to the Court of Justice of the European Union (CJEU)—the bloc’s highest court.
In 2015, the court issued a stunning ruling: not only did it say that data protection authorities could investigate complaints about the violation of Europeans’ privacy rights, it also said Safe Harbor wasn’t protecting those rights, because of American mass surveillance laws. The CJEU struck down Safe Harbor, with immediate effect.
Cue panic on both sides of the Atlantic. Suddenly, the legal basis for many companies’ transfer of data from Europe to the U.S. had been snatched away.
Safe Harbor wasn’t the only legal means by which companies could get their customers’ and employees’ data over the ocean—just the easiest. A key alternative? So-called “standard contractual clauses”—a formulaic set of promises about protecting people’s data—though this takes a long time to set up and requires approval from EU privacy authorities.
Facebook had already set up standard contractual clauses, so it was able to keep operating legally in Europe. But for many other tech firms, and therefore for the European Commission, the sudden demise of Safe Harbor was a big problem.
The Commission and its U.S. counterparts scrambled to replace the stricken deal. In February 2016, they introduced a new agreement called Privacy Shield, which was like Safe Harbor—but supposedly with added protections for Europeans.
Crucially, the U.S. promised to place new limits on intelligence agencies’ access to Europeans’ data, and Europeans are able to make complaints in the U.S. about how American companies are treating their data—a new role of U.S. “Ombudsperson” was set up to handle the complaints.
So, all good now? Not quite.
Max Schrems’s landmark 2015 victory at the EU’s highest court didn’t end his case. It went back to the Irish data protection authority, which this time agreed to investigate it. But instead of cracking down on Facebook specifically—an outcome Schrems has pursued—the regulator sent the case back to the court in Luxembourg, again with its scope stretching beyond the social network itself.
On Tuesday, the court will establish whether standard contractual clauses—the legal tool that Facebook and many other companies now use—are also invalid. In evaluating the clauses, the CJEU will size up the Privacy Shield too. After all, if U.S. mass surveillance laws mean companies can’t abide by the privacy-protection promises they make in standard contractual clauses, the same could easily apply to their similar Privacy Shield promises.
Even with the potentially profound implications, Schrems himself isn’t keen on the broad approach. “The Irish [regulator] must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over,” Schrems said in a statement Monday. “This case has been pending for six years… We don’t have a problem with standard contractual clauses; we have a problem with enforcement.”
Facebook, for its part, defends the clauses as “important safeguards to ensure that Europeans’ data are protected once transferred overseas,” said associate general counsel Jack Gilbert said in an emailed statement. He argues that standard contractual clauses “have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide.”
But Facebook and the U.S. have a big problem here: the Irish High Court has already ruled that the U.S. government conducts mass surveillance on personal data held on U.S. servers. So, as far as the CJEU is concerned, that’s no longer up for debate—and the CJEU has previously said that such “mass processing” violates EU fundamental rights.
That means the crux of the matter is not whether Facebook is able to stop the U.S. government from prying in people’s data—it can’t—but to what degree the CJEU will strangle the flow of that data.
Gilbert’s statement only hints at the potential scale of an adverse impact. Just how high are the stakes? “The whole data transfer system would be impacted and could impact the global economy,” Linklaters’ top data protection lawyer, Tanguy Van Overstraeten, told Reuters. “If the carpet is pulled out from [under] companies’ feet, it may cause massive disruption,” Omer Tene, vice-president of the International Association of Privacy Professionals, told Politico.
So multinationals of all kinds had better keep a close eye on the judgement coming out of Luxembourg later this year.
More must-read stories from Fortune:
—Switzerland’s stock-trading standoff with the EU provides a glimpse of life after Brexit
—The Bahrain Conference: What the experts and the media missed
—Ford’s new plan for Europe: Fewer jobs, more SUVs
—Listen to our new audio briefing, Fortune 500 Daily
Catch up with Data Sheet, Fortune‘s daily digest on the business of tech.