In its ruling today on the Max Schrems-Facebook case, the European Court of Justice has rejected the “Safe Harbor” agreement that allowed US tech companies to use a single standard for consumer privacy and data storage in both the US and Europe. This means companies that store European data like Facebook and Twitter, as well as many hosting providers, may now face scrutiny from individual European countries’ data regulators.
The landmark ruling from the EU’s highest court, the European Court of Justice (ECJ), has effectively put an end to a 15-year-old system that let US and European companies avoid cumbersome checks when transferring data across the Atlantic. It was used by more than 4,000 firms including IBM, Google, and Ericsson.
The Root of the ECJ’s Decision: US Intelligence Gathering Practices Infringe on European Privacy
While Facebook is named in the case, the real issue is that private data was made available on a large scale to the United States intelligence services through the National Security Agency’s “PRISM” initiative through intermediaries like Facebook that were required to provide data to authorities.
“The real objection,” according to ECJ Advocate General Yves Bot, “is not to the conduct of Facebook USA as such, but rather to the fact that the Commission has determined that the law and practice on data protection in the United States ensure adequate protection when it is clear from Edward Snowden’s disclosures that the United States authorities can have access on a mass and undifferentiated basis to personal data of the population living in the territory of the European Union.”
The mass collection of data from EU citizens illustrates how little Safe Harbor did to protect their privacy. Meanwhile, since US intelligence services have insisted on having comprehensive access to electronic communications services even where the link to national security threats are weak.
Advocate General Bot wrote in his opinion, “Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter… It should be emphasized, moreover, that the Safe Harbor scheme… does not contain appropriate guarantees for preventing mass and generalized access to the transferred data.”
Following the revelations of mass surveillance by US government agencies, the European Commission adopted 13 recommendations to revise and strengthened Safe Harbor in November 2013 as part of its overall strategy to restore trust in data flows between the US and Europe.
Recently, the EC had been working with the US on finalizing the details of an “umbrella agreement” specifying strong data protection rules around all exchanges of personal data for law enforcement purposes. It had also been laying groundwork for other transfers of personal data from the EU to the US.
Today’s decision, however, puts this work in flux. It also creates uncertainty among businesses doing foreign trade, but also companies headquartered in the US or Europe but with branch offices across the pond.
Trans-Atlantic Data Transmission Still Exists, But There’s a Lot of Uncertainty For Companies Storing and Handling Data
“The European Court of Justice’s decision… could be the digital equivalent of grounding all planes and stopping all shipping from Europe to the US overnight”
— Sen. Brian Schatz
The ECJ’s decision doesn’t mean personal data transfers will end immediately, but it gives regulators the right to suspend them if they don’t provide sufficient privacy protections. Companies will have to use lawyers to set up alternate privacy arrangements and prepare for the post-Safe-Harbor world.
IBM’s VP of Government and Regulatory Affairs, Christopher Padilla, told Reuters that the ECJ’s ruling added uncertainty and has jeopardized the free flow of data between the US and Europe, where cross-border data flows are the highest in the world. “The free movement of data across borders is the foundation of the global economy, facilitating everything from financial services and manufacturing to shipping and retail,” he said.
Ranking member of the Senate Subcommittee on Communications, Technology and the Internet, Sen. Brian Schatz, said that losing the US-EU Safe Harbor framework will have a disastrous impact on commerce. “The European Court of Justice’s decision announced this morning invalidates the current Safe Harbor framework; a decision which could be the digital equivalent of grounding all planes and stopping all shipping from Europe to the US overnight,” Sen. Schatz said in a statement.
He called on US Secretary of Commerce Penny Pritzker and FTC Chairwoman Edith Ramirez to work with their European counterparts in the European Commission and the member states to rapidly issue clear guidance on data transfers in light of the court’s decision. “Guidance is needed to ensure continuity for businesses and consumers on both sides of the Atlantic until a new agreement is in effect,” he said.
The US government could also take legislative action to restore the trust of the EU, and it could mean putting new limits on the ability of US agencies to gather intelligence. Sen. Schatz also said it’s the US Congress’ role to pass legislation that balances privacy, civil liberties, and national security.