Five years ago, when activist Max Schrems took Facebook Inc. to the European Union’s top court no one knew what to call it. The case, which led to judges scrapping a key trans-Atlantic data-transfer agreement, was referred to as the Safe-Harbor dispute or other unmemorable technical terms.
On Tuesday, Schrems is back at the EU Court of Justice in Luxembourg to challenge Facebook in another case that could rewrite data-privacy law and which the legal community has given a catchier moniker: Schrems II.
The latest lawsuit challenges the legality of tools used by companies to move commercial data outside of the EU. The first Schrems case led to a surprise ruling in 2015 that struck down a widely-used trans-Atlantic data-transfer system over concerns U.S. spies could get unfettered access to EU data.
At risk in the latest case are Standard Contractual Clauses, which companies rely on as the most efficient alternative to transferring commercial data after the EU court’s first decision. It also questions parts of the so-called EU-U.S. Privacy Shield, the new trans-Atlantic data transfer pact adopted in 2016 to replace Safe Harbor.
“This is a far more important and significant case than the first Schrems decision,” said Ross McKean, a data protection lawyer at DLA Piper in London, who isn’t involved in the litigation. “When the court torpedoed Safe Harbor, there was an alternative. What’s different with Schrems II is, we don’t have any alternative, at least none which is quick and easy to implement.”
Schrems, 31, has been challenging Facebook in the Irish courts — where the social media company has its European base — arguing that EU citizens’ data is at risk the moment it gets transferred across the Atlantic. The Irish court last year sought the EU judges’ advice, focusing on the standard contractual clauses. The outcome could ultimately affect thousands of companies across the bloc that use the EU-regulated tool.
Safe Harbor and now the Privacy Shield, help protect data transferred between the EU and the U.S. Standard contractual clauses go much further, because they cover data transferred between the EU and all non-EU countries.
Menlo Park, California-based Facebook said in a statement that standard contractual clauses “enable thousands of Europeans to do business worldwide.”
The clauses “provide important safeguards to ensure that Europeans’ data are protected once transferred overseas,” Jack Gilbert, Facebook’s associate general counsel, said in the statement.
Facebook tried for almost two years, and failed, to prevent the Irish court from referring the dispute to the EU tribunal. Peter Church, a technology and privacy lawyer at Linklaters in London, said it’s “pretty unlikely” the EU court will uphold the standard contractual clauses in their current form. The Irish judge, in the opinion referring the case to the EU tribunal, was “pretty negative” on the issue, he said.
For Schrems, it’s not the tool in itself that is the problem. He questions Facebook’s use of the standard contractual clauses, and has urged the nation’s data protection regulator to suspend Facebook’s EU-U.S. data flows. The Irish watchdog went a step further and questioned the validity of this tool more generally.
The Irish regulator “must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over,” Schrems said in an emailed statement. “This case has been pending for six years.”
If the clauses and even the Privacy Shield were torpedoed for failing to provide sufficient safeguards to protect the data of European citizens, it would leave companies with no good alternatives. The legal gap created by such a ruling would expose companies to “significant compliance risks,” said McKean.
They could be in breach of the EU’s one-year-old privacy rules, the General Data Protection Regulation, and face possible fines of as much as 4% of annual sales.
“And it’s not just the regulators that could be coming for them, it’s also the likes of Mr. Schrems” in consumer lawsuits across Europe, said McKean. Schrems founded a group called noyb — for none of your business — that he has already used to file complaints.