Tomorrow, Facebook will file High Court papers challenging Helen Dixon's preliminary order to stop data transfers.
t smacks of panic.
In case you missed it, the Irish Data Protection Commissioner (DPC) gave a preliminary order to Facebook to stop transferring users' personal data to the US.
This has always been regarded as a nuclear option. But it's happened. And it will almost certainly affect everyone reading this in some way.
Facebook is spooked. But it believes that the DPC has moved far too quickly. It will present its legal arguments as to why next week. A good guess is that it will say the Irish DPC has boobed by opening an enquiry and making a preliminary decision at the same time, contrary to what a regulated entity might expect.
Is this just a stalling tactic to delay the inevitable?
The problem with Facebook's argument is that the DPC is really only doing what the European Court of Justice said it now has to do.
In July, in the Schrems-Facebook case that saw the transatlantic 'Privacy Shield' data transfer agreement struck down, the court said that the US treats EU citizens' privacy like dirt. Consequently, it said that data regulators now had to start shutting off data transfers that are based on existing legal mechanisms like 'standard contractual clauses'.
So that's what the Irish DPC is doing. Hence the order to Facebook.
If the tech giant argues that the Irish regulator should, in fact, wait a bit longer to see whether European colleagues can come up with something of a replacement to standard contractual clauses, should that be heeded?
It very much depends on who you ask.
To trade organisations, this has the potential to be a disruptive nightmare. Remember what we're talking about here: legal uncertainty (or even prohibition) from using cloud hosting services, ecommerce portals and video-conferencing platforms as they're currently set up.
An extreme case was set out by Facebook's global affairs vice-president (and former UK deputy prime minister) Nick Clegg.
"In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider," he said.
"A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco."
To be fair, Clegg would say that, wouldn't he? But he isn't alone. There are a lot of trade bodies who are freaked out by the possible implications from all of this.
On the other hand, consider the position that the Irish DPC is in. What is the overwhelming criticism that her office gets, day in, day out?
That it moves too slowly.
That it pays too much heed to the considerations of the tech giants it's regulating.
That it holds back from implementing the most serious enforcement remedies.
Given that it now effectively has a directive from Europe's highest court, and is still fighting rearguard actions against privacy campaigners ceaselessly snapping at its heels to move quicker to stop transatlantic data transfers, isn't it understandable that it has made this preliminary order?
When this topic gets discussed in detail, my experience is that it makes many people's eyes glaze over. The absence of that middle ground is quite important. It leaves the debate in the hands of profit-driven companies and privacy true believers, who are at polar opposites of the spectrum.
The problem with the companies is that they can't see much further than their own bottom line. But the challenge with leaving everything up to the privacy advocates is that many of them are willing to blow up trade in defence of privacy, which they regard as a bigger priority. No more Facebook or Amazon or Google? Sounds great, many of them say. To be sure, there is an arguable case here. Big tech companies haven't helped themselves on many occasions over the last few years. But it's less clear whether the general public is quite in step with a view that we'd be largely better off without them.
Regardless of any of that, the actual question here is an even bigger one. There is a fundamental issue that we can no longer dodge: the EU and the US do not agree on what an acceptable level of 'security surveillance' of citizens' data is. Both sides appear happy to sink transatlantic trade to defend their core view on it.
For instance, does anyone really believe that Donald Trump's administration - or even a Joe Biden one - will suddenly agree that Europe's objections to its security surveillance laws are to be adhered to? If you're one of those who argues that the power of the EU's market to persuade them of this should do the trick, you may be more isolated than you imagine.
And it's a similar question for the Americans. Do their authorities and politicians really believe that European 'wimps' will get in line on the US's "proportional" security response in the form of surveillance laws? Sorry, but that boat seems to have sailed. And there's no longer the UK to act as a proxy on it inside the Union.
Even if we wanted to tone it down on this side of the Atlantic, we can't.
"Supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means," said Europe's highest court in July.
This is very, very serious. We need to get ready for an unprecedented level of disruption very soon.
