Thursday’s judgement by the Court of Justice of the European Union (CJEU) will have immediate, far-reaching consequences. It will also have many which can not yet be firmly predicted.
The 63-page judgement of the Court, feeding off a referral from the Irish High Court of a case taken by the Data Protection Commission, is intensely complex. The various parties have good reason to state they are 'studying the decision closely’.
This is because its density guarantees there will be a great deal of varying interpretations of its meaning.
That can be observed already in that Facebook “welcomes” the Court’s approval of Standard Contractual Clauses (SCC) for transatlantic data transfer, something privacy activist Max Schrems, who took the initial complaint to the DPC, has said is simply untrue.
In this, Mr Schrems’ view appears to be vindicated by closer inspection of the text of the judgement, leaving Facebook and others in an uncomfortable position.
The most immediate consequence is that Privacy Shield, the successor to the Safe Harbor agreement between the EU and the United States, is no more.
That ruling will have to be given formal voice by our own High Court in the coming weeks, and some sort of grace period will apply for companies to get their stalls in order. But that aside, Privacy Shield is gone.
Where things get interesting is the fact that, while the CJEU has not specifically invalidated SCCs as a means for international data transfers, it has made it clear they are to be considered on a case-by-case basis by individual data protection authorities, with the standard to aim for of that which guarantees an EU citizen’s data will be as well-treated, wherever it is transferred outside the bloc as it is within it.
But in America’s case, the court has already decided that is not the case. The two data regimes are incompatible given the surveillance inherent with US Government agencies.
So if Facebook and company cannot rely on SCCs with the US to transfer their data, how on earth can their business model function?
The US was doing little to suggest it would be backing down late on Thursday, with a senior official telling reporters changes to its regime of surveillance are neither “advisable or possible”.
For context, what constitutes data shared by Facebook between its European and American headquarters is everything placed on the platform. This decision affects everything the company does. And it is unclear how it’s going to convince the EU to allow it continue on its current path. Judging by the verdict, it can’t.
There are some other facets to the decision worth pointing out. First, despite the animosity between Max Schrems and the Data Protection Commission, the ruling is fundamentally a victory for them both.
But if Mr Schrems thinks the DPC is slow now, wait until it gets bogged down in evaluating thousands of SCCs and data regimes involving third countries. Last October, the Commission received only one-third of the budget allocation it requested from the Government, a decision with which Commissioner Helen Dixon made clear her displeasure.
Should such a shortfall happen again, it’s difficult to see how the DPC can do its job effectively - the CJEU’s decision will most likely inflate its workload to a preposterous extent.
Finally, there is the matter of Britain. After Brexit, Britain has landed itself with third country status. You can imagine which country’s border will top the list for regulators seeking to evaluate if it represents a safe destination for their citizen’s data in the post-Schrems II world.