Facebook might have felt the worst was over. Chief executive and chairman Mark Zuckerberg concluded a gruelling two-day appearance before US Congressional committees Wednesday, and Facebook was still intact.
But a day is a long time in international data privacy battles. On Thursday, the company learned the European Court of Justice (ECJ) is going to decide whether the instrument it uses to transfer Europeans’ data to the US, called standard contract clauses (SCCs), guarantees adequate privacy protections.
And that's only the start of a potential transatlantic nightmare. The High Court referral by Ms Justice Caroline Costello includes the bombshell questions of whether the EU/US data transfer agreement Privacy Shield is valid. And if neither Privacy Shield or SCCs pass muster, should transatlantic data flows cease?
Privacy Shield was hammered out between the US and the European Commission after an initial case taken by Austrian privacy campaigner Max Schrems over his Facebook data resulted in the ECJ declaring invalid Privacy Shield's predecessor agreement, Safe Harbour.
Schrems is also a party to the current case. It rests on whether his data stored on Facebook’s US servers, and transferred using SCCs, is safe from indiscriminate US surveillance.
Those concerns stem from Edward Snowden’s disclosure in 2013 of large scale NSA spying programmes such as PRISM, believed to have accessed data from Facebook and other technology companies.
Irish data protection commissioner (DPC) Helen Dixon has said she is inclined to side with Schrems - already a worry for Facebook. But in a complex case taken against Facebook, the DPC asked the High Court to determine if the contracts could be deemed safe instruments.
Now, all formats for data transfers are under scrutiny.
Primal fear
Compared to this fresh development, facing senatorial questions for five hours will seem like pure joy. There’s absolutely no question that Facebook and many other US and European companies that routinely move data between the two jurisdictions will view this referral with primal fear.
Not least because, along with the very real prospect of losing hundreds of millions of users and customers in an instant, there’s little Facebook or any other company can do but sit and wait for the view of the justices. Justices who, in recent years, have made a series of landmark pro-privacy rulings and indicated they are not inclined to cut either the US government or the commission any slack if they haven’t sufficiently sorted out compliance with European privacy law for these transfer instruments.
In the current case, Facebook has argued that such security provisions are grounds for exemptions to EU data protection law, and asked for the referral to be quashed
And, worse again, there’s little that companies can do when the problematic part of these instruments is due to the firm stance on data access taken by the US government in the name of security. Congress only recently renewed the ability of US surveillance agencies to access data in ways many privacy advocates deem overly broad and too secretive.
In the current case, Facebook has argued that such security provisions are grounds for exemptions to EU data protection law, and asked for the referral to be quashed. Ms Justice Costello seems very unlikely to withdraw a referral for a case whose entire point was to produce a referral, but has agreed to give Facebook lawyers until April 30th to consider the document before the referral is formalised.
While many businesses and privacy organisations expected a challenge eventually to Privacy Shield, few expected this high court case would result in such a comprehensive consideration of the viability of both SCCs and Privacy Shield in a single go.
Just don't underestimate the ECJ
Awaiting the ECJ's view - which could take over a year - will keep many a chief executive and executive board in a sweat. The ultimate decision could, in one blow, overturn long-standing business models and demand a major rethink of how all companies manage customer and user data, especially large gatherers and managers of data such as Facebook, Google, Amazon, Twitter, Microsoft and Apple, to name just a few.
Cross fingers
Companies can either cross their fingers and wait, or start costly efforts to restructure to keep EU data out of the US. The US is certainly at risk of coming a pariah country where no external data goes, and US citizens are likely to start asking - as many already have in the wake of the Facebook/Cambridge Analytica scandal -why they lack protections offered to Europeans. But shorter term, expect uncertainty, and the possibility of immediate post-decision chaos.
Just don’t underestimate the ECJ. In its Digital Rights Ireland decision a few years ago - which underlies the first Schrems decision - the ECJ has already stated that even in the name of security, member state governments still have an obligation to keep data gathering proportionate and balanced. The corporate problems that might arise from officials failing for years to reconcile two conflicting data privacy environments simply won’t be their priority.