The EU’s top court will take a decision on Thursday that threatens to throw global internet traffic into chaos, as judges decide on the legality of Facebook’s data transfers between the US and Europe.
It will rule on the second attack on transatlantic data arrangements by Austrian activist Max Schrems, who in 2015 scuppered a previous EU-US deal on which tech giants depended to do business.
Schrems’ legal assault stemmed from the revelations by Edward Snowden of mass digital spying by US agencies, which the EU court at the time said were incompatible with European norms on privacy.
That decision struck down a deal called “Safe Harbour” that allowed for data transfers between Europe and US servers, throwing transatlantic business into legal limbo.
It was quickly replaced by another pact known as “Privacy Shield” that is currently used by over 5,000 US companies.
But “Privacy Shield” could be similarly struck down by EU judges at the European Court of Justice, plunging internet traffic into fresh disarray, with companies stripped of legal cover and at risk of massive fines.
As the landmark decision loomed, a top EU official told AFP that contacts between Brussels and Washington had intensified in hopes of preparing the ground for all eventualities.
“Our ambition is to respond together and figure out ways we can adapt to the decision,” the EU’s Justice Commissioner Didier Reynders said.
“We are not in the same situation as 2015, for one we now have GDPR,” he added, referring to the EU’s rules on data privacy that did not exist at the time.
The end of “Safe Harbour” caught officials off guard and the EU and US rushed to come up with an alternative.
‘We are prepared’
The case being decided on Thursday originally focused on something called standard contractual clauses, an EU invention in which companies outside Europe commit to meeting EU laws on data and privacy.
But during the hearings, judges took a special interest in “Privacy Shield” and a legal advisor to the court warned that it may be illegal, just like its predecessor “Safe Harbour”.
Schrems’ new case began in Ireland, the hub for Facebook’s activities in the European Union. The Irish Data Protection Commission referred the complaint to Ireland’s top court, which turned it over to the judges in Luxembourg.
Backers of “Privacy Shield” insist that, while the deal is used by tech giants, it also allows smaller US companies to provide services in Europe.
“The court could upend one, two or all global data transfer mechanisms, sending tens of thousands of companies scrambling,” said Caitlin Fennessy of the International Association of Privacy Professionals.
On the other hand, it “could validate the existing legal order, providing companies around the world the legal certainty they’ve been seeking for decades.”
The IAPP represents most of US big tech on data issues, including Google and Microsoft, but also other US multinationals such as Lockheed and KPMG