An adviser to Europe's highest court told its judges Thursday to uphold the contractual terms that Facebook and other companies rely on to transfer billions of dollars worth of data on Europeans to other countries.
Why it matters: The case's outcome will not only determine whether companies need to rethink how they protect users' privacy and data, but could also shape a deeper transatlantic divide for the internet.
Driving the news: The European Commission-backed model agreements that companies use to protect users' privacy in data transfers are "valid," wrote European Court of Justice advocate general Henrik Saugmandsgaard Øe in an advisory opinion, a non-binding recommendation that the court follows the vast majority of the time.
Yes, but: The opinion said regulators should still force companies to halt transfers under certain circumstances and raised questions about a key U.S.-EU agreement on data flows.
Where it stands: A final ruling in line with the opinion that the contracts are valid could reassure U.S. companies.
- But Saugmandsgaard Øe leaves the door open to European regulators blocking data transfers because they think U.S. surveillance practices conflict with EU privacy standards.
- And if the court picks up questions he raised around the EU-U.S. Privacy Shield and finds it invalid, there would be major repercussions for the thousands of companies who rely on that agreement to freely transfer data, ranging from payroll information to European customer records.
- "We are talking about billions and billions of dollars worth of commerce that relies on that transatlantic data flow," Aaron Cooper, vice president at BSA | The Software Alliance, said ahead of the opinion's release. "It is about every industry sector."
The big picture: Europe has sought to set the global standards on online privacy, with strict data safeguards that contrast with the United States' historically laissez-faire approach. The pending court ruling represents a judgment before the world of how people's data gets handled in the U.S.
Details: The European Court of Justice, the EU's supreme court, is weighing whether model agreements with U.S. companies meant to protect Europeans' privacy abroad are up to snuff.
- The case stems from a complaint against clauses in Facebook's data contracts, brought by European privacy advocate Max Schrems.
- The European Commission has endorsed the so-called standard contractual clauses, but Schrems argued the Facebook clauses do not adequately protect Europeans from government surveillance in the U.S.
- He said he is "generally happy" with the advisory opinion, noting that he did not want to disturb the thousands of contractual agreements in place globally. "Everyone will still be able to have all necessary data flows with the US, like sending emails or booking a hotel in the US," Schrems said in a statement. "Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA."
- Facebook associate general counsel Jack Gilbert said the company is grateful for the opinion. "Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas," Gilbert said in a statement.
Flashback: You might remember Schrems from launching the case that upended the previous agreement that governed data flows between the U.S. and Europe, the Safe Harbor.
- Responding to U.S. government data collection practices exposed by NSA contractor Edward Snowden, Schrems filed complaints against several U.S. companies that led to the European high court declaring the Safe Harbor invalid in 2015.
- U.S. companies scrambled to set up alternative arrangements while the U.S. and Europe hammered out a new agreement, 2016's Privacy Shield.
Now, the Privacy Shield faces a major test, and court watchers have been worried it will not pass.
- The main question before the European court is whether the standard contractual clauses adequately protect privacy, but a lot of the questions posed by the court relate to Privacy Shield, so the final ruling could affect both.
- The advisory opinion says the court shouldn't weigh in on Privacy Shield, but also raises concerns about the adequacy of the agreement for protecting Europeans privacy.
- In particular, Saugmandsgaard Øe questioned Privacy Shield's reliance on a U.S.-appointed ombudsperson to resolve Europeans' complaints about how their data gets handled, including by American intelligence agencies. He's not sure a single ombudsperson is sufficient—or sufficiently independent from U.S. government interests—to give proper redress.
Reality check: The advisory opinion is just that — advisory. The high court often goes along with it, but that's not always the case.
What's next: The final ruling is expected sometime in the first half of 2020.
- The Electronic Privacy Information Center has sided with Schrems in the case, warning that the U.S. has not done enough to correct the problems revealed by Snowden.
- EPIC President Marc Rotenberg said earlier this week the U.S. needs to pass comprehensive privacy legislation and create a data protection authority to address the issues "The U.S. actually has to do more to improve privacy standards within the US, which is ultimately what will satisfy Europe and benefit consumers," Rotenberg said.
Editor's note: This story has been updated with a different quote from EPIC's Marc Rotenberg.