In a David versus Goliath battle, an Austrian law student may topple the biggest EU-US data sharing deal when he gets his day in court in a couple of weeks' time.

Max Schrems, who set up the Europe v Facebook group, alleges that Facebook violated the so-called safe harbour agreement which protects EU citizens' privacy. He says the infringement came about thanks to Facebook transferring its users' data to the US National Security Agency (NSA).

The European Court of Justice (ECJ) will hear details of the case on 24 March.

Schrems first appealed to the Irish Data Protection Commissioner to investigate his claims. He was refused on the grounds that Facebook was signed up to the safe harbour agreement and so could transfer data to the US with impunity.

Under European data protection law, companies can only transfer consumer data out of the EU to countries where there is an “adequate” level of privacy protection. As the US does not meet this adequacy standard, the European Commission and the US authorities came up with a workaround and, in 2000, set up the voluntary safe harbour framework whereby companies promise to protect European citizens’ data.

These promises are enforced by the US Federal Trade Commission – but since the Snowden revelations, there has been doubt these promises are worth the paper they’re written on.

When the Irish Data Protection Commissioner refused to investigate, Schrems appealed to the Irish High Court, who then referred the whole question of safe harbour adequacy to the ECJ.

High Court Justice Gerard Hogan said in his ruling: “There is, perhaps, much to be said for the argument that the Safe Harbor Regime has been overtaken by events. The Snowden revelations may be thought to have exposed gaping holes in the contemporary US data protection practice.”

He added that Schrems was not required to prove that his own data had been spied upon in order to make a complaint.

The ECJ will now hear submissions about how safe harbour is implemented, the role of national data protection authorities in policing the agreement and what provisions have been put in place to ensure the protection of the privacy of European citizens.

Following calls from the European Parliament to suspend the agreement, the European Commission proposed 13 recommendations in November 2013 to “restore trust in data flows between the EU and the US.”

With even the author of the deal accepting that it’s on shaky ground, the idea of David slaying Goliath is not so remote. ®