Facebook will face Austrian privacy activist Max Schrems next week at Europe’s top court in a landmark case that could affect how hundreds of thousands of companies transfer personal data worldwide as well as Europeans’ privacy rights.
At issue is standard contractual clauses used by Facebook and other companies to transfer personal data to the United States and other parts of the world and whether these violate Europeans’ fundamental right to privacy.
Cross-border data transfers worth billions of dollars are a fact of life for businesses ranging from banks to carmakers to industrial giants.
Schrems, an Austrian law student, successfully fought against the EU’s previous privacy rules called Safe Harbour in 2015. He is now challenging Facebook’s use of such standard clauses on the grounds that they do not offer sufficient data protection safeguards.
Facebook’s lead regulator, the Irish Data Protection agency, took the case to the High Court in Ireland which subsequently sought guidance from the Luxembourg-based Court of Justice of the European Union (ECJ).
Facebook was not immediately available to comment.
The court ruling will have a global impact, Tanguy Van Overstraeten, global head of data protection at law firm Linklaters, said.
“The whole data transfer system would be impacted and could impact the global economy,” he said.
“There are alternatives to the standard clauses, including the derogations set out in the GDPR such as consent, contractual necessity and others but they are strictly interpreted and difficult to apply in practice.”
Van Overstraeten said hundreds of thousands of companies would be hit if the ECJ rules against the clauses compared to some 4,500 companies affected when Safe Harbour was struck down.
Safe Harbour was replaced in 2016 by the EU-U.S. Privacy Shield which was designed to protect Europeans’ personal data transferred across the Atlantic for commercial use.
Data privacy has become a major concern since revelations in 2013 by former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance which triggered outrage among politicians in Europe. The EU adopted the GDPR data protection laws last year.
The case is C-311/18 Data Protection Commissioner V Facebook Ireland Ltd, Maximillian Sc.