Last Thursday the Irish High Court opted for the Court of Justice of the European Union to decide on the legality of current EU-US data transfer practices. The case has been under Irish court jurisdiction since Facebook’s European headquarters are located in Ireland. Facebook Ireland Ltd. sends all its data to its US headquarters, Facebook Inc.
Most data transfers between the EU and the US are covered by the so-called ‘standard contractual clauses’. US tech giants use them to demonstrate compliance with EU privacy laws.
Facebook has been singled out as the most egregious violator. Maximillian Schrems, an Austrian privacy activist, has taken the matter to court by suing Facebook. In order for data to be transferred outside the EU, the recipient country must guarantee the same level of protection. Mr Schrems argues this is not the case for personal data held on US servers.
The Irish Commercial High Court sided with the plaintiff and the Irish Data Protection Commissioner by concluding that their practices might be illegal and referring the matter to the EU’s top court.
The key issue is not with guaranteeing corporate data safety, but its potential misuse and spying by the US government agencies, such as the NSA. Apparently, companies cannot demonstrate the data would be safe from such intrusions. Today we know of at least a few, such as the PRISM program. The NSA has been known to aggregate data by directly tapping into Facebook’s databases, reports the EFF.
The standard contractual clauses gained traction after the Safe Harbor, another transfer mechanism, was struck down two years ago and replaced with the EU-US Privacy Shield. The Privacy Shield does not address the government spying issue. This has led to doubts about its legality as well. This has further fostered the adoption of standard contractual clauses.
The plaintiff, Max Schrems, does not expect the contractual clauses to be struck down, but hopes the US privacy regulations will finally be raised to a higher standard.
According to Reuters, Facebook claims a “breakdown in transatlantic data transfers” could lead to a drop in EU’s economic output of 1.3 percent.
We can expect the CJEU ruling within the next year and a half. The CJEU ruling will affect all contractual clauses, not only Facebook’s. About 88 percent of EU companies employ contractual clauses for cross-border data transfers. With the advent of the General Data Protection Regulation next year, the issue will be further complicated.
The EFF further reports that if these contractual clauses were rejected, it would lead to a form of “data embargo” for American businesses until the US Government is able to prove EU data is safe from surveillance. It is unlikely the US Government will stop with its practices, though.
Instead, the affected companies could be forced to store the data within the EU and keep it in a sandbox of sorts, away from the US and its governmental organisations.
Whatever the decision may be, we are certain it won’t be the end of the NSA spying saga.