DUBLIN/BRUSSELS (Reuters) - The ability of firms such as Facebook to easily transfer Europeans’ data to the United States was plunged into legal limbo on Thursday when the Irish High Court asked the EU’s top court for a detailed assessment of whether the methods were legal.
The Irish High Court referral, published on Thursday and due to be submitted to the ECJ by the end of April, stems from a case brought by an Austrian privacy activist against the methods used by Facebook to store user data on U.S. servers following revelations in 2013 of mass U.S. surveillance practices.
Cross-border data transfers are an integral part of companies’ business - be it for human resources purposes, completing credit card transactions or storing people’s browsing histories - but the referral casts renewed uncertainty on the legal mechanisms underpinning billions of dollars’ worth of data transfers.
The High Court’s five-page referral asks the Court of Justice of the EU (ECJ) if the Privacy Shield - under which companies certify they comply with EU privacy law when transferring data to the United States - does in fact mean that the United States “ensures an adequate level of protection”.
EU data protection law prohibits personal data being transferred to a country with inadequate privacy protections.
Facebook has until April 30 to lodge an application to block the referral. Paul Gallagher, a lawyer for the U.S. firm., said he was considering whether to request a delay or a possible appeal.
Facebook is under scrutiny after it emerged the personal information of up to 87 million users, mostly in the United States, may have been improperly shared with political consultancy Cambridge Analytica.
Data privacy has been under major public scrutiny since the revelations in 2013 by former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance caused political outrage in Europe.
Facebook CEO Mark Zuckerberg was grilled this week by U.S. lawmakers on the privacy lapses, but came away mostly unscathed with little sign of a consensus emerging on whether regulation was needed to safeguard privacy.
The Privacy Shield was hammered out between the EU and the United States after the Court of Justice of the EU (ECJ) struck down its predecessor on the grounds that it did not afford Europeans’ data enough protection from U.S. surveillance.
Irish High Court Judge Caroline Costello in October said she had decided to ask the ECJ for a preliminary ruling in the case, but the scope of the referral only became clear on Thursday.
Max Schrems, an Austrian law student who successfully challenged Safe Harbour - Privacy Shield’s predecessor - subsequently brought a case against another legal instrument used by Facebook and other firms to transfer personal data to the United States, so-called standard contractual clauses.
The High Court asked the ECJ whether personal data transferred from the EU to the United States using such clauses, and the separate privacy shield, violated Europeans’ fundamental right to privacy.
“Given the case law, the question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-U.S. data transfers,” Schrems said in a statement.
The Irish court also asked the ECJ whether European data protection authorities ought to suspend data flows if the company moving the data outside the EU is subject to “surveillance laws” that conflict with the EU’s right to privacy.
Facebook has previously said the case could lead to a breakdown in transatlantic data transfers that could knock EU economic output by up to 1.3 percent.
A ruling from the ECJ is likely to take around 18 months.
Reporting by Conor Humphries, writing by Julia Fioretti; editing by Robert-Jan Bartunek and Alexandra Hudson