The case stems from a challenge taken by Austrian privacy campaigner Max Schrems

By Will Goodbody, Science & Technology Correspondent

This week’s announcement by the Web Summit that it was moving to Lisbon from next year has consumed countless hours of airtime and plenty of column inches.  But significant as that decision is, it somewhat overshadowed another technology related story that broke at almost precisely the same time and which will arguably have much longer and more profound consequences.

The European Court of Justice’s Advocate General issued his opinion that the “Safe Harbour” deal that allows the transfer of user data between the EU and US is invalid. He did so in the context of an ongoing court challenge by Austrian privacy campaigner, Max Schrems, to Facebook’s treatment of data collected by it in Europe. Schrems claims that the company is in effect helping the US National Security Agency (NSA) to harvest email and other private data from European customers by forwarding their data to servers in the US.

So what is Safe Harbour?

In 1998 the EU brought in a data protection directive which prohibits the transfer of personal data to non-EU countries that don’t meet its adequacy standard for privacy protection. That posed a problem for the US, as it takes a different approach to privacy. So in order to bridge the differences, the two blocs developed a framework in 2000 known as “Safe Harbour” – a streamlined system that would enable US based companies to comply with the directive. In effect it allows US companies to move data from the EU to the US and store it there, provided they self-certify that the data has the same protections as it would if it were left in the EU.

And what’s the problem?

Privacy campaigners have had difficulties with this system for some time. But the situation came to a head when revelations started to emerge in 2013 via ex-NSA contractor Edward Snowden about US government surveillance programmes like Prism, and claims that technology companies were assisting it. This prompted privacy campaigners and others to legitimately question how Safe Harbour’s system of self-certification could credibly be considered to be an adequate protection for EU based users of US technology companies’ services. Particularly, they claimed, if it was the case that technology companies are helping the NSA, and if there is no proper oversight of Safe Harbour by EU authorities.

What happened next?

Max Schrems asked the Office of the Data Protection Commissioner (ODPC) here to investigate, as it is responsible for regulating Facebook in Europe due to the presence of the social network’s European HQ in Dublin. He claimed Facebook was facilitating NSA backdoor access to its customers’ private data. But the ODPC declined to carry out a probe because it said it did not have the jurisdiction to do so, as Safe Harbour allowed data transfers to take place. Schrems appealed that decision to the High Court in Dublin, which duly referred the question on to the European Court of Justice.

So what did it find?

The court itself hasn’t ruled officially yet. But its Advocate General – in this case Yves Bot – has assessed the case, and has made a recommendation to the judges. Such opinions are non-binding, but are in most cases adopted by the court. Mr Bot believes Safe Harbour is invalid, does not do enough to protect EU citizen’s private information in the US and should have been suspended. He also said that national data protection authorities had the power to suspend transfers to third countries if they felt EU citizens’ privacy was compromised.

Why does that matter?

If the court confirms the AG’s decision, the ramifications for tech companies and their European customers are serious and widespread. Currently more than 4,400 US companies are certified to use the Safe Harbour method of returning European citizens’ data to the US. The list includes big household names like Apple, Google, Facebook, Amazon, AOL, Yahoo – most of the same major multinationals who have significant and growing presences here. If the court upholds the recommendation, these companies will either have to rapidly find another legal route of moving data to the US, or build new facilities here in Europe to store it, or stop collecting the data completely. Either way, the commercial and technical downsides appear significant for them, their users and by extension the Irish economy.

And the wider implications?

The AG’s view, if accepted, is also likely to damage already testy relations between the US and EU over the regulatory treatment of technology companies in Europe. This at a time when the EU is trying to conclude a new system of regulation for data protection within its borders and attempting to agree a new transatlantic trade deal.

Are there any winners?

Clearly the big winner in all of this is the European citizen. Few of us would be happy to think that our personal communications are being sifted through, analysed and profiled by intelligence agencies in the US. This ruling, if confirmed, would hand us back a little more control of our data from companies that appear to be increasingly encroaching on our privacy rights. Also, the data centre industry here could also benefit. Because if overnight data can no longer be transferred to the US and must remain in the EU, new storage locations will be required.

What happens next?

The ECJ’s final judgement will be anxiously awaited. If it backs Bot’s interpretation, and Safe Harbour is deemed invalid, pressure will immediately pile on the EU and US to rapidly conclude a new considerably more robust mechanism for the transfer of European citizens’ data to the US. Negotiations on such a deal have been going on for some time without agreement. But given the chaos that could ensue if the ECJ confirms the AG’s opinion, one would hope that the intensity of those negotiations has upped considerably in the last 24 hours.

Meanwhile Facebook, which has all along maintained it complies with EU data protection law, says it and all the other technology companies transferring data across the Atlantic, await the full judgement.

You can bet it is with some trepidation.

Comments welcome via Twitter to @willgoodbody