Since then multinationals like Facebook, Google, Apple and Microsoft have relied on so-called "model contract clauses" to give them a legal framework for arguing that their data transfers do not contravene the EU's data protection rules.
However, on Wednesday Ireland's Data Protection Commissioner announced its intention to challenge Facebook's transfer of EU users' data to the US at the CJEU, following a complaint by Austrian law student and privacy activist Max Schrems.
"We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues," the Commissioner stated.
Sources told The Irish Times that while the investigation is continuing, the commissioner has come to a preliminary view that Facebook's mechanism for transferring data does not give EU citizens an effective legal recourse in the event that their rights are contravened by a US public authority.Max Schrems commented that the CJEU is likely to rule against the model contract clauses, in the same way that it judged the Safe Harbor policy to be invalid.
"There is no way the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws," said Schrems, adding that he doesn't see a way out for these internet firms until the US changes its regulations on data protection and surveillance.
"All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with," he said.
"As long as the US does not substantially change its laws I don't see how there could be a solution."