European Court of Justice Privacy Shield legal opinion to be published on Thursday
ECJ advocate general also considering whether EU's standard contractual clauses provide sufficient protection for European consumers
The legality of tools used by Facebook and other tech firms to transfer European customers' personal data abroad will become clearer this week when an adviser to the European Court of Justice (ECJ) finally releases their non-binding opinion.
The opinion is due to be published on Thurday, 19th December.
Henrik Saugmandsgaard Øe, advocate general at the Luxembourg-based ECJ, is considering whether the European Union's standard contractual clauses (SCCs) provide sufficient protection.
Saugmandsgaard will also decide whether the EU-US Privacy Shield, which came into existence in 2016, is lawful or not.
There's no way that the ECJ can say that model contract clauses are valid if they killed Safe Harbour on the same grounds
A full decision on the issue by the ECJ is expected to come in early 2020.
According to Reuters, the case has implications for thousands of tech firms operating in the EU. An adverse ruling may affect data transfers, not only from the EU to the US, but also from the EU to other locations across the world, where SCCs are used to facilitate data transfers.
SCCs are a standardised form of document that, once approved by the European Commission, allow companies to transfer data without further reference to the authorities.
Privacy activists have long argued that SCCs provide a convenient loophole for data processors to carry on with business as usual and that Privacy Shield is little better than the framework it replaced.
In 2013, Max Schrems, an Austrian law student and privacy activist, asked the Irish Data Commissioner (DPC) whether Facebook sending his personal data to the US was in breach of EU's data protection law.
The complaint revolved around the way that data on European citizens could be accessed by US security services, as revealed by Edward Snowden.
However, instead of making a ruling on Schrem's complaint, the DPC took the case to the Irish High Court, which - following a lengthy discussion - referred the issue to the Luxembourg-based ECJ for further guidance.
The ECJ eventually annulled the EU-US data sharing agreement, called Safe Harbour, in 2015. It was quickly replaced by the current Privacy Shield framework.
Facebook has been using the SCCs for transferring data to the US since Safe Harbour was abolished. However, Schrems claims that Facebook's SCCs do not offer sufficient data protection safeguards.
If the ECJ annuls the SCCs that would mean tech firms "would either need to suspend transfers of personal data to these countries or risk breaching the GDPR and exposing themselves to significant revenue based fines," according to Jamie Drucker at UK-based law firm Bristows.
"There's no way that the ECJ can say that model contract clauses are valid if they killed Safe Harbour on the same grounds. Everyone in the room knows model contract clauses are a shaky thing, but it was the best they had so far," Max Schrems said three years back.
Last year, when the Irish High Court referred the complaint about Facebook's transfer of European citizen's personal data to the US to the ECJ for a second time, Schrems said that he was pleased with the decision.
But, he regretted that the case had taken five years to reach this stage. He believed the Irish DPC could have made the decision itself rather than resorting to the ECJ. However, he is hopeful that the details of Privacy Shield will come under more scrutiny.