An adviser to Europe's highest court told its judges Thursday to uphold the contractual terms that Facebook and other companies rely on to transfer billions of dollars worth of data on Europeans to other countries.
Why it matters: The case's outcome will not only determine whether companies need to rethink how they protect users' privacy and data, but could also shape a deeper transatlantic divide for the internet, Axios' Margaret Harding McGill writes.
Details: The European Commission-backed model agreements that companies use to protect users' privacy in data transfers are "valid," wrote European Court of Justice advocate general Henrik Saugmandsgaard Øe in an advisory opinion, a non-binding recommendation that the court follows the vast majority of the time.
Yes, but: The opinion said regulators should still force companies to halt transfers under certain circumstances and raised questions about a key U.S.-EU agreement on data flows.
Where it stands: A final ruling in line with the opinion that the contracts are valid could reassure U.S. companies.
- But Saugmandsgaard Øe leaves the door open to European regulators blocking data transfers because they think U.S. surveillance practices conflict with EU privacy standards.
- And if the court picks up questions he raised around the EU-U.S. Privacy Shield and finds it invalid, there would be major repercussions for the thousands of companies who rely on that agreement to freely transfer data, ranging from payroll information to European customer records.
- "We are talking about billions and billions of dollars worth of commerce that relies on that transatlantic data flow," Aaron Cooper, vice president at BSA | The Software Alliance, said ahead of the opinion's release. "It is about every industry sector."
The big picture: Europe has sought to set the global standards on online privacy, with strict data safeguards that contrast with the U.S.' historically laissez-faire approach. The pending court ruling represents a judgment before the world of how people's data gets handled in the U.S.
Details: The European Court of Justice, the EU's supreme court, is weighing whether model agreements with U.S. companies meant to protect Europeans' privacy abroad are up to snuff.
- The case stems from a complaint against clauses in Facebook's data contracts, brought by European privacy advocate Max Schrems.
- The European Commission has endorsed the so-called standard contractual clauses, but Schrems argued the Facebook clauses do not adequately protect Europeans from government surveillance in the U.S.
- He said he is "generally happy" with the advisory opinion. "Everyone will still be able to have all necessary data flows with the US, like sending emails or booking a hotel in the US," Schrems said in a statement. "Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA."
Flashback: You might remember Schrems from launching the case that upended the previous agreement that governed data flows between the U.S. and Europe, the Safe Harbor, in 2015.
- Responding to U.S. government data collection practices exposed by NSA contractor Edward Snowden, Schrems filed complaints against several U.S. companies that led to the European high court declaring the Safe Harbor invalid.
- U.S. companies scrambled to set up alternative arrangements while the U.S. and Europe hammered out a new agreement, 2016's Privacy Shield.
Now, the Privacy Shield faces a major test, and court watchers have been worried it will not pass.
What's next: The advisory opinion is just that — advisory. The final ruling is expected sometime in the first half of 2020.