When Max Schrems asked the Irish Data Protection Commissioner to stop Facebook Ireland transferring his personal information to the U.S. in 2013, he couldn\u2019t have foreseen that it would put the personal data processing operations of thousands of other businesses in legal jeopardy.\nSchrems\u2019 2013 complaint went all the way to the European Union\u2019s top court, which in 2015 unexpectedly struck down the Safe Harbor Agreement on transatlantic data transfers. Thousands of businesses that had relied on this to justify their export of customers\u2019 and employees\u2019 personal data from the EU to the U.S. for processing suddenly had to seek alternate legal justification \u2014 or find data hosting and processing resources inside the EU.\n\n[ Beware the 9 warning signs of bad IT architecture and see why these 10 old-school IT principles still rule. | Sign up for CIO newsletters. ]\n\nThe demise of Safe Harbor\nEU data protection law says that personal information can\u2019t be exported to a regime offering less protection than it has in the EU. Various legal mechanisms exist to extend that protection, including binding corporate rules for intra-group transfers, or standard contract clauses approved by the European Commission. Safe Harbor was one of these \u2014 essentially a declaration that, as long as businesses followed certain rules, the European Commission considered that U.S. law provided adequate protection.\nAfter months of uncertainty following its demise, it was replaced by Privacy Shield, a new agreement between EU and U.S. administrations allowing transatlantic data transfers to resume.\nHowever, it turned out that Facebook had never relied on Safe Harbor at all but rather on standard contract clauses to protect its data transfers under EU privacy law.\nSchrems duly revised his original complaint about Facebook\u2019s processing of his data to target standard contract clauses, and that complaint has once again made its way to the Court of Justice of the European Union amid speculation that it too could threaten businesses\u2019 export of personal data to the U.S.\nJudgment in this new case, which has become known as \u201cSchrems II,\u201d isn\u2019t expected until early in 2020, but a public hearing on July 9 gave hints about how things could turn out.\nInterestingly, Schrems isn\u2019t the plaintiff in the case, but a defendant. The plaintiff is the Irish DPC, which filed suit against him and Facebook as a legal maneuver to obtain a ruling on matters of law raised by his complaint.\nAt stake is whether the U.S. government undertakes mass processing of the personal data of EU citizens when that data is held in the U.S., whether that form of surveillance is legal under EU privacy law, and whether standard contract clauses on data transfers provide adequate privacy protection for EU citizens.\nStandard contract clauses in the crosshairs\nSchrems and the DPC agree that U.S. surveillance laws breach fundamental EU privacy rights: Where they differ is on what can be done about it. Schrems wants the DPC to stop individual data transfers where standard contract clauses provide insufficient legal protection; the DPC says it has no power to do so.\nThe EU is seeking to make improvements in this area. European Commissioner for Justice V\u0115ra Jourov\u00e1 said on June 13: \u201cWe are already working to modernize standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.\u201d\nFacebook, meanwhile, says that there\u2019s no problem with its data transfers as the European Commission has already ruled, through its acceptance of the Privacy Shield data-sharing framework that replaced Safe Harbor, that U.S. surveillance laws pose no threat to EU citizens\u2019 fundamental rights.\nThe adequacy of Privacy Shield, though, is the target of another legal challenge the court is mulling, this one from a group of French NGOs.\nAnd there\u2019s the rub: If the CJEU decides to take a very broad view of the French case or of the second Schrems complaint, as it did with his first, it could decide to invalidate the standard contract clauses used by Facebook and others, and Privacy Shield too.\nActions for CIOs\nFor CIOs and general counsel, then, it could be 2015 all over again. Some processing of EU citizens\u2019 personal information in the U.S. could be outlawed overnight, leaving businesses to either stop it, find somewhere else to do it, or take a gamble on the consequences.\nWhile there\u2019s still time, CIOs need to figure out what personal information their organizations hold on EU citizens, whether they are processing it outside the EU, and what consent or legal justification they have for that processing. On the bright side, as long as their organization is in compliance with the EU\u2019s General Data Protection Regulation (GDPR), which entered force on May 25, 2018, they should already have many of the answers at their fingertips.\nThe European Data Protection Board has produced a handy guide to the derogations provided by Article 49 of the GDPR that will help CIOs decide what to do next.\nSome processing of personal information is always allowed, such as to comply with a contract to provide goods or services to the person concerned, or if the person has consented to the data transfer and has been made aware of the privacy risks involved. Again, organizations in compliance with GDPR will already have a record of which data they can transfer under these derogations.\nFor the rest, there are still a few months left in which to prepare technological responses to a potential data disaster that may never happen.