A monthlong courtroom clash between Facebook Inc., Ireland’s data protection regulator, and Austrian privacy activist Maximilian Schrems is set to wrap up on Wednesday. The stakes are big for Facebook, but they are even bigger for the European Union’s digital economy. Depending on how the court rules, the legal mechanism that most companies rely on to transfer personal data outside the bloc—so-called Standard Contractual Clauses (SCCs)—could start to unravel.
Here’s an overview of how we got here:
1) Hasn’t this already happened once before?
Kind of. Schrems filed a complaint in 2013 about the legality of Facebook Ireland transferring his personal data to servers in the U.S. in the wake of the Snowden leaks about such government surveillance programs as PRISM. That case centered on the mechanism that Facebook and many other companies used at the time, called Safe Harbor, to transfer EU personal data to the U.S. The matter went to the Irish High Court and then to the Court of Justice of the European Union (CJEU), which struck down Safe Harbor in 2015.
In the wake of that ruling, Facebook and many other companies switched over to using SCCs—model contracts between data “exporters” and foreign processors that are designed to replicate the data protections in EU law. Schrems filed a new complaint, and it is those SCCs that are now in danger.
2) What does Schrems want?
To halt transfers of data between Facebook Ireland and Facebook’s U.S. operations. The crux of his complaint is that because of U.S. surveillance programs, his data does not receive sufficient privacy protections in the U.S., and he has no effective recourse in U.S. courts. He also contends that Facebook’s SCCs in particular diverge from the approved model. (Schrems alleges the company didn’t even sign the documents correctly—filling in “Facebook Ireland Ltd.” where it should have put “Facebook Inc.”—saying it “begs the question of the seriousness of the whole exercise overall.”)
3) So is that all that’s at stake?
No. When Irish Data Protection Commissioner Helen Dixon made a preliminary ruling on Schrems’ complaint, she called the SCC mechanism itself into question. In essence, she said U.S. law does not provide EU citizens with an effective remedy for violations of their privacy rights—which is guaranteed by Article 47 of the EU Charter of Fundamental Rights—and that SCCs cannot paper over that gap. (Notably, her decision came before the U.S. and EU finalized their “Privacy Shield” agreement, which included some changes to the way the U.S. handles EU citizens’ complaints about data handling.)
But SCCs aren’t just used for U.S.-EU data transfers; companies with operations in Europe use them to transfer personal data all over the world. Invalidating SCCs would therefore have broad consequences. “I think the implications would be very serious for all sectors of the European economy that are transferring data outside of the European Economic Area,” said Alexander Whalen, senior policy manager at DigitalEurope, which weighed in on Facebook’s behalf in an amicus brief.
4) What happens next?
The case was referred last year to the Irish High Court. Judge Caroline Costello has been hearing oral arguments since Feb. 7, and much of the bench trial has focused on personal data protections in U.S. law; the U.S. government has also weighed in. Facebook has argued that Dixon’s analysis was wrong and that U.S. law doesn’t have to exactly mirror EU law in order for the SCCs to be valid. The question before Costello is whether to seek a higher opinion from the CJEU. She’s expected to issue a decision within several months, but it could come within a matter of weeks.
The case could go a number of ways. One possibility is that Costello rules the commissioner was wrong in her analysis, but that Facebook’s SCCs specifically are still faulty. Or the judge could agree with the Irish commissioner that there is a real question about the validity of the SCCs as a mechanism and refer the case to the CJEU. If that happens, there would be real uncertainty about the future viability of SCCs, but a decision by the CJEU would still be a year and a half to two years away.
5) Who are the lawyers?
In the Irish legal system, only independent barristers can actually argue before the court, while firms can help prepare expert testimony and briefs. For Facebook, Gibson, Dunn & Crutcher has been handling much of the briefing on U.S. law, in cooperation with Irish firm Mason, Hayes & Curran. The main barristers for Facebook are Paul Gallagher, a former Irish attorney general, and Niamh Hyland.
Solicitors Ahern Rudden Quigley have been representing Schrems; the principal barrister arguing on his behalf is Eoin McCullough.
Contact the reporter at email@example.com. On Twitter: @benghancock.