The European Union Court of Justice has announced that it will give a "non-binding opinion" in the Schrems vs Facebook case on 12 December. However, it will take many more months for a final ruling.
The lawsuit, called "Schrems II" by the legal body, is the continuation of Austrian lawyer and privacy activist Max Schrems’ demand for the Irish data protection authority to take action to enforce European data protection rules on Facebook.
Schrems’ initial complaint to the Irish Data Protection Commissioner (DPC), filed more than five years ago about the transfer of his personal data from Facebook Ireland to Facebook in the US, led to a ruling in 2015 that abolished the widely-used trans-Atlantic data-transfer system called Safe Harbour.
Facebook then acknowledged the decision as a business risk.
"In 2016, the European Union and the United States agreed to an alternative transfer framework for data transferred from the European Union to the United States, called the Privacy Shield, but this new framework is subject to an annual review that could result in changes to our obligations and also may be challenged by national regulators or private parties," the company said in its 2017 annual statement.
Schrems is now striving to remove the Standard Contractual Clauses, an alternative to the trans-Atlantic data-transfer system. His lawsuit also puts parts of the Privacy Shield arrangement under scanner.
Meanwhile, Facebook warned the European top court that removing a crucial system used by businesses to move data out of the European Union would affect the trans-Atlantic trade, reported Bloomberg.
Bridget Treacy, partner and cyber-security practice lead at Hunton Andrews Kurth, agrees. "If the Court invalidates those mechanisms, the day to day operations of organisations around the globe, involving transfers of EU personal data, will be thrown into disarray," she said.
The main reason: a lack of credible alternatives.
"If Standard Contractual Clauses are struck down, organisations will need to reconsider all their global data flows, the vast majority of which rely on this mechanism. Alternatives to the standard contractual clauses are limited," she said.
The EU-US Privacy Shield only applies to EU-US transfers. The provision is the subject of a separate legal challenge. Binding corporate rules require a comprehensive compliance programme and it will take months to implement.
"Derogations - such as consent - are not currently available for repeated, mass or structural data flows. Although the European Commission is updating existing Standard Contractual Clauses, these are unlikely to be available before the ruling in Schrems II," she said.
The impending Brexit makes the situation even more complexity for UK organisations. Once out of the EU, the UK will be like any other non-EU country in respect of data transfers and EU organisations will need a data transfer mechanism to continue to transfer personal data to the UK, she noted.
The larger issue -- whether the American law, which allows its security agencies to access the personal data of non-nationals, contravenes the European data protection laws -- still remains unaddressed.