The Irish High Court has referred a complaint about Facebook's transfer of European citizens' data to the USA for processing to the European Court of Justice - capping a hectic couple of weeks for the social media giant.
The ECJ's decision could have a significant impact on the business model of Facebook and other US-based internet firms that depend on processing personal data.
The case against Facebook was originally brought to the Irish Data Commissioner (DPC) by Austrian lawyer and privacy activist Max Schrems in 2013. The complaints revolved around the way that data on European citizens could be accessed by the US security services, as revealed by Edward Snowden. It was referred by the DPC to the ECJ, which ultimately annulled the EU-US data sharing Safe Harbour Agreement in 2015. It was replaced by the current Privacy Shield framework.
For tax purposes, Facebook operates from its Dublin offices as Facebook Ireland Ltd. It transfers EU citizens' data to Facebook Inc. in the US under a system called 'model clauses' or 'standard contractual clauses' (SCC). Facebook users in other countries also have their data processed by Facebook Ireland Ltd.
Model clauses are a standardised form of document that, once approved by the European Commission (EC), allow companies to transfer data without further reference to the authorities.
Privacy activists have long argued that they provide a convenient loophole for data processors to carry on with business as usual and that Privacy Shield is little better than the framework it replaced.
Facebook started using model clauses for transferring data to the US after Safe Harbour was abolished and has continued to do so ever since. However, the US authorities are still able to access users' data for bulk processing.
Facebook had argued that the case was concerned with national security and therefore falls outside of European privacy and data protection laws, something rejected by the High Court.
Professing himself pleased with the decision, Schrems said he regrets that the case has taken five years to reach this stage. He said he believed the Irish DPC could have made the decision itself rather than resorting to the back and forth with the ECJ, but that he was hopeful that the Privacy Shield more widely would come under scrutiny.
"What is remarkable is that the High Court also included questions on the Privacy Shield, which has the potential for a full review of all EU-US data transfer instruments in this case," he said in a statement.
Given that the High Court had found that the US is able to undertake mass processing on citizens data Schrems said the ECJ must now be bound by that finding, Schrems claimed.
"Given the case law, the question, in this case, does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook's EU-US data transfers and which approach they will take to remedy the conflict of EU privacy protections and US surveillance."
Schrems has argued that a targeted solution which would only affect data companies and not other sectors should be possible under existing legislation.
"We hope that the Court of Justice will adapt our approach, which is a targeted suspension of data transfers if a company falls under US mass surveillance laws," he said.
Any ruling by the ECJ is likely to take about 18 months.
Schrems recently set up a non-profit organisation to help people sue tech firms for privacy breaches under the GDPR.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches