Five years ago, when activist Max Schrems took Facebook to the European Union's top court no one knew what to call it. The case, which led to judges scrapping a key trans-Atlantic data-transfer agreement, was referred to as the Safe-Harbour dispute or other unmemorable technical terms.
On Tuesday, Schrems is back at the EU Court of Justice in Luxembourg to challenge Facebook in another case that could rewrite data-privacy law and which the legal community has given a catchier moniker: Schrems II.
The latest lawsuit challenges the legality of tools used by companies to move commercial data outside of the EU. The first Schrems case led to a surprise ruling in 2015 that struck down a widely-used trans-Atlantic data-transfer system over concerns US spies could get unfettered access to EU data.
At risk in the latest case are Standard Contractual Clauses, which companies rely on as the most efficient alternative to transferring commercial data after the EU court's first decision. It also questions parts of the so-called EU-US Privacy Shield, the new trans-Atlantic data transfer pact adopted in 2016 to replace Safe Harbour.
Facebook, Instagram having connectivity issues for some users
The clauses "provide important safeguards to ensure that Europeans' data are protected once transferred overseas," Jack Gilbert, Facebook's associate general counsel, said in the statement.
Facebook tried for almost two years, and failed, to prevent the Irish court from referring the dispute to the EU tribunal. Peter Church, a technology and privacy lawyer at Linklaters in London, said it's "pretty unlikely" the EU court will uphold the standard contractual clauses in their current form. The Irish judge, in the opinion referring the case to the EU tribunal, was "pretty negative" on the issue, he said.
For Schrems, it's not the tool in itself that is the problem. He questions Facebook's use of the standard contractual clauses, and has urged the nation's data protection regulator to suspend Facebook's EU-US data flows. The Irish watchdog went a step further and questioned the validity of this tool more generally.
The Irish regulator "must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over," Schrems said in an emailed statement. "This case has been pending for six years."
How Facebook fought fake news about Facebook
If the clauses and even the Privacy Shield were torpedoed for failing to provide sufficient safeguards to protect the data of European citizens, it would leave companies with no good alternatives. The legal gap created by such a ruling would expose companies to "significant compliance risks," said McKean.
They could be in breach of the EU's one-year-old privacy rules, the General Data Protection Regulation, and face possible fines of as much as 4% of annual sales.
"And it's not just the regulators that could be coming for them, it's also the likes of Mr Schrems" in consumer lawsuits across Europe, said McKean. Schrems founded a group called noyb - for none of your business - that he has already used to file complaints.