By Foo Yun Chee
BRUSSELS (Reuters) – Europe’s top court will on Thursday rule on the legality of tools companies use to transfer Europeans’ data around the world, in the latest clash between Facebook and Austrian privacy activist Max Schrems.
If the court finds the mechanisms are illegal, companies, ranging from small businesses to industrial giants, such as Facebook, could have to suspend the data transfers that underpin standard contractual clauses or face hefty fines for breach of EU privacy laws.
“The Court could upend one, two or all global data transfer mechanisms, sending tens of thousands of companies scrambling, or could validate the existing legal order, providing companies around the world the legal certainty they’ve been seeking for decades,” Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP), said.
The industry body’s members include Amazon, AT&T, Cisco, Citi, Facebook, Google, GlaxoSmithKline, HSBC, Huawei, Microsoft, Lockheed Martin and KPMG.
Schrems shot to fame for winning a legal battle in 2015 to overturn previous privacy rules known as Safe Harbour.
It took the European Commission, the EU executive, and the United States more than a year to agree an alternative.
Known as the Privacy Shield, it is designed to protect Europeans’ personal data that is transferred outside the European Union when companies sign contracts with non-EU companies on outsourcing services, including payroll and cloud infrastructure.
The latest case – C-311/18 Facebook Ireland and Schrems – came before the Luxembourg-based Court of Justice of the European Union (CJEU) after Schrems challenged Facebook’s use of standard clauses as lacking sufficient data protection safeguards.
Former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance increased EU concerns about data transfers.
The Irish Data Protection agency, which is Facebook’s lead regulator, took the case to the Irish High Court, which then sought guidance from the CJEU.
Last December a CJEU adviser said such data transfer mechanisms were legal with the caveat that they could be blocked if countries receiving such information fail to meet European data protection standards.
In the EU, the General Data Protection Regulation (GDPR), introduced in 2018, seeks to increase individuals’ control over their personal information. Companies that fail to comply are liable to fines of up to 4% of global annual turnover.
(Reporting by Foo Yun Chee; editing by Barbara Lewis)