Thursday's European Court of Justice (CJEU) decision on the second case brought by Austrian privacy activist Max Schrems was always going to be huge. The only question was the degree of enormity.
This morning, the justices gave a blockbuster opinion that will impact nearly every business, small to large.
At the heart of this decision lie Edward Snowden’s 2013 disclosures about secretive US surveillance agency programmes that access user data from a roster of huge US social media and internet companies.
Those disclosures in turn structured the important CJEU Digital Rights Ireland decision in 2014, which invalidated the EU’s Data Retention Directive and set out required protections for data gathered by state authorities.
That decision then shaped the CJEU's first 'Schrems 1' ruling in 2015, that Schrems' Facebook data was not given adequate protection under the former Safe Harbour EU/US data transfer agreement.
Both of those decisions were incorporated into the the EU’s 2018 General Data Protection Regulation (GDPR), under which all EU data must be given EU-equivalent safeguards when transferred to the US.
The European Commission and the US government argued that Safe Harbour’s replacement, the 2016 Privacy Shield data transfer agreement, offered such protections.
But as the CJEU ruled today, given the continued existence of those surveillance programmes and the lack of adequate redress for Europeans in the US, Privacy Shield did not.
In effect, the court ruled that personal data is not, as US companies generally view it, an asset to be monetised. Instead, it is our personal possession, with strong and specific human rights protections.
This does not mean data transfers must be halted, because the court also ruled that companies can use an alternative mechanism of private agreements, called Standard Contractual Clauses.
These are already widely used by large multinationals, and Facebook’s use of them was central to the original grounds for this case. But the decision means smaller businesses, which don’t have in-house legal teams to draft agreements, must also use them.
Some of that headache will be eased by the commission, which has been preparing SCC templates for general use.
However, all companies now must make their own determination as to whether other countries adequately protect data to EU standards.
This potentially opens up significant legal liabilities, and immediately raises problems with all data transfers to the US. Sending data to Brexit UK, a country with equally secretive mass data-gathering state programmes, will also be in question.
Today’s decision places new work burdens on EU data protection authorities, tasked with determining the data protection adequacy of other states, and of individual SCCs.
In particular, this will increase the load of the Irish DPC office, given Ireland’s concentration of US data-gathering multinationals.
In the near term, many companies will likely shift to holding data in the EU. The big multinationals have been preparing for this eventuality for years – one reason for the explosion in data centres in Ireland.
But ultimately, this decision poses a shattering challenge to the data-centric business models of many companies, from social media platforms to advertising giants, which make their money by exploiting users’ personal data.