EU Data Transfer Ruling Leaves Tech Companies in Quandary
Oct 6, 2015 4:44 PM PT
Europe's highest court on Tuesday ruled that a 15-year-old agreement regulating electronic data transfers with the United States was invalid, potentially striking a blow to thousands of U.S. technology companies that rely on a uniform legal standard do business overseas.
The European Court of Justice ruled that the U.S. Safe Harbor agreement was inadequate to protect the privacy rights of ordinary citizens. The ruling came in response to a privacy activist's complaint, filed with Irish regulatory authorities.
The complainant, Austrian citizen and law student Maximillian Schrems, argued that personal information he shared on Facebook, which maintains its European headquarters in Dublin, could not be shared with a third country without adequate safeguards.
U.S. whistleblower Edward Snowden's revelations showed that adequate protections were not in place to protect private citizens from snooping by the U.S. government or other agencies that might use their personal data for unauthorized and illegal surveillance, Schrems claimed.
The Irish regulatory authorities must examine Schrems' complaint and decide whether to suspend the transfer of all data to Facebook on the grounds that it does not protect personal data adequately, the court ruled.
"In particular, legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," its judgment states.
Privacy Rights Reinforced
The case is not about Facebook, the company emphasized, noting that the Advocate General himself said it did nothing wrong.
"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from Safe Harbor," the company said in a statement provided to the E-Commerce Times by spokesperson Jodi Seth. "It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."
The ruling draws a "clear line" in terms of the ability of third-party countries to gather private data, and the U.S. abused those laws to spy on private citizens, Schrems alleged.
"The decision is a major blow for U.S. government surveillance that relies heavily on private partners," he added. "The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."
Snowden, whose 2013 revelations about U.S. international surveillance practices formed the backdrop of the original complaint in this case, called the ruling a major victory in favor of the privacy rights of ordinary citizens.
"Europe's high court just struck down a major law routinely abused for surveillance," Snowden said in a tweet. "We are all safer as a result."
The decision could have a major impact not only on existing technology companies, which operate heavily in Europe, but also on startups looking to expand.
It definitely complicates the business model for any of the large ISPs," noted Jim McGregor, principal analyst at Tirias Research.
Despite the reaction, U.S. officials argued that the plaintiff made erroneous arguments in his presentation that the court accepted as fact, and noted that the Obama administration has taken numerous steps to increase the level of transparency and accountability in the U.S. intelligence-gathering process.
European officials noted that they were actively working with the U.S. to reform rules governing data transfers and utilization, and said they were working on a plan to find an agreement that would protect the privacy rights of citizens, while allowing businesses and governments to function without major interruptions.
"We will come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the U.S. in light of the ruling," said Frans Timmermans, first vice president of the European Commission. "As citizens need robust safeguards and businesses need legal certainty, the guidance should help [in] avoiding a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike."
The ruling leaves U.S. companies in a sort of "legal limbo" because this particular ruling was not in reaction to any actual or potential behavior engaged in by Facebook or any other technology firm, noted Danny O'Brien, international director of the Electronic Frontier Foundation.
"What we envisage now," he told the E-Commerce Times, "is the idea that [companies will] just have to keep rolling along," until another data privacy decision comes down.