Earlier this month, the European regional court in Vienna heard preliminary arguments in a class action lawsuit against Facebook, which challenges the “safe harbor” framework under which US companies transfer personal data from the European Union to their US-located servers while remaining in compliance with the EU’s data protection laws.
The suit against Facebook is spearheaded by an Austrian law student, Maximilian Schrems, who claims that the existing US-EU data protection regime no longer guarantees the privacy of European residents and fails to induce compliance with the EU’s Data Protection Directive, following revelations that Facebook provided the US National Security Agency with access to user data as part of the NSA’s PRISM surveillance program. The case is brought against Facebook's European headquarters, Facebook Ireland Limited, which registers all Facebook accounts outside the United States and Canada — roughly 80 percent of Facebook’s 1.35 billion users.
According to the Wall Street Journal, spending on digital advertisements in Western Europe is expected to total $34.81 billion in 2015, making the personal information that fuels targeted advertising valuable currency for companies that offer ad-supported services.
The “safe harbor” framework under which US companies can legally transfer that valuable data from the EU was agreed to by the US and EU in 2000. Essentially, the safe harbor allows US companies to transfer data out of the EU if they self-certify to the US Department of Commerce that they comply with EU data protection standards.
The suit against Facebook is brought by 25,001 users/plaintiffs, and 50,000 more users have registered to join the class according to Europe–v–Facebook, a group started by Schrems. Each plaintiff claims the equivalent of about $532 (€500) in damages.
The recent hearing in Vienna was on Facebook’s preliminary challenges to jurisdiction in Vienna and the plaintiffs’ ability to bring the suit as a class action. No decision has yet been issued, but if the suit goes forward, it could have widespread implications for US companies that move personal data from the EU to their domestic servers. However, talks between the US and EU about revising the safe harbor framework could result in a revised US-EU data protection framework independent of the lawsuit.