Tomorrow morning the European Court of Justice will announce its ruling on a long-running dispute around the protections given to our online data.
The case involved the Irish Data Protection Commissioner, Facebook and the US government - but tomorrow's outcome could have repercussions for a huge number of businesses and users.
What’s the case about?
This case boils down to whether the private information of EU citizens is properly protected when companies transfer it to US soil.
As part of the EU’s Charter of Fundamental Rights, every citizen is entitled to have their personal data protected. That right is largely underpinned by the General Data Protection Regulation (GDPR).
Of course GDPR does not apply in non-EU countries (so called 'third countries’) but in order to send certain information outside of the bloc, companies must agree to act as if it did.
At the same time US law obliges certain technology companies - like Facebook, Google, Apple and Twitter - to give its surveillance service access to the data they hold on grounds of national security.
Max Schrems and his organisation NOYB (None of your Business) believe that there is a fundamental clash here.
In 2015 he made a complaint to Ireland’s Data Protection Commissioner (DPC) arguing that, as his Facebook data could be accessed by US authorities with no proper legal redress available to him, it was not compliant with EU laws.
That complaint eventually ended up in the Irish court system, which ultimately referred a number of questions to the European Union’s Court of Justice.
Who’s Max Schrems?
Max Schrems is an Austrian privacy campaigner who has been raising issues around Facebook - and by proxy every company that collects user data - for almost a decade.
The case currently before the ECJ is known as Schrems II - because it’s the second time a complaint of his has ended up at their door.
The first one has its origins in a 2013 complaint to the Irish DPC, which ultimately led to the end of the Safe Harbour agreement.
That was the structure many companies used to send data between the EU and US until it was deemed invalid by the court in late 2015.
The decision prompted firms to switch to Standard Contractual Clauses (SCCs) to ensure they could continue to send data across the Atlantic, while the EU and US later established the Privacy Shield framework as a replacement for Safe Harbour.
The workings of the SCCs and Privacy Shield are what the court is currently considering.
But what has this got to do with Ireland?
Under EU law any complaint about personal data must be lodged with the regulator in the country that the company in question is registered.
Facebook - like a lot of big tech firms - has its international headquarters registered in Ireland, which means that the Irish Data Protection Commissioner is its supervisory authority.
So even though this case relates to an Austrian citizen and US firm, it has to go via Dublin.
Do we have any indication of what the court will do?
No - but we do have the opinion of the court’s advocate general, which the ECJ usually (though not always) agrees with.
In his opinion, the advocate general deemed the SCCs to be valid - however he also said specific attention had to be given to the national security protections of the third country to ensure it complied with EU law. In other words, each contract had to be looked at on a case-by-case basis.
His opinion largely skirted around the validity, or otherwise, of Privacy Shield. The advocate general did raise doubts about it, but suggested it would be better examined in a case that gave its entire focus to the framework.
So what might the court decide tomorrow?
There are a number of potential outcomes, all of which have different knock-on effects. And while Facebook is the company at the centre of this case, its outcome will impact on many other firms - and potentially users.
Here are four potential outcomes:
1) Everything is fine
The ECJ could decide that SCCs and Privacy Shield are valid and provide enough protection to EU citizens, even when their data goes to the US. In that case, nothing changes and tech companies breathe a sigh of relief.
2) The court sides with the advocate general
If the court’s ruling mirrors the opinion of the advocate general, companies like Facebook will be obliged to ensure that the countries they’re sending data to offers adequate protections. It would then be up to their regulator - in this case the Irish DPC - to step in to ensure that is the case.
One potential issue with this is that it could lead to an inconsistent approach across the EU. For example the Irish regulator could decide that European data is adequately protected when sent to the US, but the Spanish regulator could decide it is not.
3) One or the other is deemed invalid
The court could decide that SCCs or Privacy Shield is invalid.
The former is seen as unlikely, but if it were to happen it would impact data transfers to every non-EU country - not just the US.
And while the advocate general essentially side-stepped the issue of the US-specific Privacy Shield, there is a chance that the court could make a decision on it regardless.
If it was invalidated it would create a headache for the many firms that rely on it to transfer data - though assuming SCCs remain an option it would not be a complete disaster.
4) SCCs *and* Privacy Shield are deemed invalid
The nuclear option is that both methods of transferring data to the US are struck down.
This is seen as unlikely, but it is also the outcome that has the greatest degree of uncertainty as it would leave no obvious method for companies to send data to other countries.
Within industry there is a hope that, even if that were to happen, there would be a grace period offered to allow firms to find new arrangements. However on the legal side, it would be seen as unlikely for a court to deem something invalid and then allow it to remain in place for a set period of time.
It should also be remembered that Safe Harbour was invalidated immediately - forcing firms to scramble to find alternatives right after the ECJ announced its decision.
Could I get cut off from Facebook or other sites tomorrow?
No, almost certainly not.
If the court invalidates either SCCs or Privacy Shield, companies like Facebook and Google would have something of a fall-back position to continue transferring data.
Meanwhile, if both are kept valid but an onus put on the laws of the other country, the decision ends up back in the hands of companies and regulators. That gives time to identify any issue and address it, which means normal service remains for the time-being at least.
Issues may arise if both frameworks are deemed invalid, however even then the impact would be limited.
That’s because this case does not relate to so-called ‘necessary’ data transfers - that would be the likes of your emails, or a hotel or airline booking you might make involving a US firm.
US surveillance laws also only relates to specific types of companies - so your dealings with "normal" firms like banks or online retailers are not covered.
And even then it’s only personal data that’s contentious - and not the likes of a YouTube video or music stream you might want to access.
But for what remains, companies would be limited in their options to maintain data flows.
They could use another legal framework known as Binding Corporate Rules, which also allow for the transfer of data. However they can only apply to data flowing from one part of a corporation to another and they need the sign-off of regulators - which could take more than a year to secure.
Alternatively companies could try to argue that their data is ‘necessary’, and entitled to an exemption under the rules. However what qualifies for this classification has until now been policed quite strictly, so it may be difficult to justify in many cases.
Meanwhile it is believed that the European Commission has been quietly working on an alternative to the SCCs in case they were deemed invalid. It is not clear, however, whether that would be immediately available if the court comes to that conclusion.
So what could change?
Bar the court deciding that everything is fine as-is, many companies are likely to have a lot more work to do following tomorrow’s ruling.
They could come under a heavier obligation to ensure the places they are sending their data to are offering adequate protections - with regulators given more clarity on their role in checking that that is the case.
That could also mean that regulators like the DPC could be faced with big decisions in the near future, if they are asked to stand over a company’s decision to continue sending data to the US.
And if it is ultimately decided that EU data is not given enough protections in the US, that could create a significant headache for many tech firms.
For a start they would have to unpick what data is deemed personal and what can be claimed as ‘necessary’ (and, as a result, still free to transfer). That would be extremely difficult to do given the myriad of services most major tech companies offer.
For example many firms use Facebook as an online shop, while others opt to use its private messaging services as a replacement for old-fashioned email. Would they be deemed necessary communications, or does the personal information gleaned as part of that put it under the remit of GDPR?
Some argue that the companies in question could overcome this kind of challenge by opting not to send data to the US at all - instead using EU-based data centres for EU citizens’ data.
However that too may be easier said than done.
Rather than sending it to one location, many firms replicate user data across multiple servers around the world. Opting to limit specific users’ data to one set of servers may be difficult to do, and could even interrupt the service being offered in the first place.
It is in companies’ interest to ensure users are unaffected by any rule changes - but depending on the court’s decision tomorrow, doing so may become a significant challenge.