Thousands of companies were turned into lawbreakers at a stroke the last time the High Court of Ireland referred a question about data protection to the Court of Justice of the European Union (CJEU). And it may be about to do it again.
That means yet more uncertainty for companies processing European citizens' personal information in the U.S., as they struggle to keep up with the changes in privacy regulations triggered by the CJEU's response to the Irish court's last question.
Under EU law, citizens' personal information can be exported only to jurisdictions guaranteeing a similar level of privacy protection to that required by the 1995 Data Protection Directive.
The Safe Harbor Agreement made by EU and U.S. authorities in July 2000 was supposed to make that guarantee for data transferred to the U.S.
Last October, though, the CJEU struck down the agreement, saying it did not adequately protect European citizens' personal information from massive and indiscriminate surveillance by U.S. authorities.
The Irish high court triggered that ruling by asking the CJEU to rule on some matters of law in a case pitting Austrian Facebook user Maximilian Schrems against the Irish Data Protection Commissioner.
Schrems had complained that, in the light of the revelations of Edward Snowden about the U.S. National Security Agency's surveillance of data held by U.S. companies, Facebook's handling of his personal information did not meet EU legal requirements. Facebook CEO Mark Zuckerberg has denied the accusations.
In the wake of the CJEU's ruling, the European Commission told businesses making transatlantic data transfers to use alternative legal mechanisms, such as standard contract clauses or binding corporate rules, to offer the necessary legal guarantees while it struck a new agreement with U.S. authorities.
But now the Irish Data Protection Commissioner wants the country's high court to ask the CJEU whether standard contract clauses suffer from the same inadequacies as Safe Harbor.
The Article 29 Working Party, which brings together data protection authorities from all EU member states, has been studying just that question since the CJEU's ruling in October.
To minimize the potential disruption to businesses, the working party will wait until the Commission has completed its negotiations with U.S. authorities on Privacy Shield, the replacement for Safe Harbor, before giving its verdict on alternative transfer mechanisms, it said in April.
That the working party feels the need to withhold its opinion of those mechanisms suggests it is not entirely happy with standard contract clauses either. But if it were to torpedo all the data transfer mechanisms allowed under the directive, there would be no legal way for businesses to send personal information from the EU to the U.S.
Facebook is taking the whole thing calmly. "There is no immediate impact for people or businesses who use our services," a company spokeswoman said Wednesday. "Standard contract clauses remain valid, and Facebook has other legal methods in place to transfer data between countries," she said.
That's certainly true for now, but a new ruling from the CJEU could change that.
Schrems, whose complaint to the Irish DPC triggered the whole legal process, expects the CJEU to invalidate standard, or model, contract clauses, for exactly the same reasons it struck down Safe Harbor.
"All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the U.S. does not substantially change its laws I don't see how there could be a solution," he said via email.