Austrian privacy activist Max Schrems’ seven-year battle against Facebook reaches a crucial point tomorrow (19 December) when an adviser to Europe’s top court will issue his view on whether tools used by companies to transfer data abroad are legal or not.
At stake are standard contractual clauses used by Facebook and hundreds of thousands of companies, ranging from banks to industrial giants to carmakers, to transfer personal data to the United States and other parts of the world.
Another issue is whether the EU-U.S. Privacy Shield, which came into existence in 2016 and designed to protect Europeans’ personal data transferred across the Atlantic for commercial use, is lawful or not.
Schrems, an Austrian law student, who successfully fought against the EU’s previous privacy rules called Safe Harbour in 2015, challenged Facebook’s use of standard clauses on the grounds that they do not offer sufficient data protection safeguards.
Facebook’s lead regulator, the Irish Data Protection agency, took the case to the Irish High Court which then sought guidance from the Luxembourg-based Court of Justice of the European Union (CJEU).
The opinion by Henrik Saugmandsgaard Øe, advocate general at the Luxembourg-based Court of Justice of the European Union, is non-binding. However, judges follow such recommendations in four out of five cases. The court will rule in the coming months.
The case has implications for companies because the transfer measures are essential in ensuring the free flow of data to non-EU countries, said Jamie Drucker at UK-based law firm Bristows.
“They underpin some of the most significant business operations, including outsourced services, cloud infrastructure, data hosting, HR management, payroll, finance, and marketing,” he said.
If the Court invalidates the measures, “this would mean they (companies) would either need to suspend transfers of personal data to these countries or risk breaching the GDPR and exposing themselves to significant revenue-based fines,” Drucker said.
Landmark privacy rules known as GDPR adopted last year gives privacy watchdogs the power to fine companies up to 4% of their global annual revenue for violations.
The case is C-311/18 Facebook Ireland and Schrems.