The two-year old Snowden-NSA spying revelations have fueled a growing climate of hostility toward Google, Facebook and other US tech companies in Europe. And earlier today the European Court of Justice (CJEU) cited Snowden to kill a long-established Safe Harbor agreement that allowed the transfer and processing of data between servers in the US and Europe.
The case has broad implications for companies that do business in Europe beyond the tech sector. As a practical matter every company moving any kind of data or personal information involving EU citizens outside of Europe will need to comply with stringent EU privacy rules. It also potentially “Balkanizes” privacy enforcement across Europe, likely giving country level regulators more power over non-EU entities and corporations.
The ruling probably also sets the stage for private legal remedies by EU citizens against corporations doing business in Europe before local data protection authorities and courts. The Safe Harbor agreement had effectively preempted such individual rights and potential claims. Thus the fallout from the CJEU decision could make doing business in Europe much more complex and potentially costly.
The underlying action was brought against Facebook by Austrian student and privacy activist Max Schrems. Schrems complained about Facebook’s alleged lack of data protection under EU law. He argued that the transfer of that data from Facebook’s Ireland-based subsidiary to the US violated European regulations because it exposed EU data to US government spying — in light of the 2013 Snowden revelations.
Irish regulators denied the complaint on the basis of the international US-EU Safe Habor agreement. It was appealed and went to Ireland’s highest court. The decision today by the CJEU invalidates the agreement and remands the matter to Irish data protection regulators to consider Schrems’ complaint.
At issue is whether “transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.” The CJEU decision, embedded below, makes the Irish regulator’s decision a foregone conclusion: the answer is yes.
The IAB sent out a public statement on the decision that laments its potential impact on EU-US business relations:
Today’s decision by the European Court of Justice jeopardizes thousands of businesses across the Atlantic. For nearly 15 years, the Safe Harbor agreement has provided IAB member companies with an efficient means to comply with EU privacy law. Thanks in part to the Safe Harbor agreement, The US and EU are among the world’s most vibrant digital advertising marketplaces, together representing $84 billion in annual revenue, or nearly two thirds of global digital advertising revenues. This robust digital advertising ecosystem has provided citizens across Europe with countless free digital services, including news, entertainment, email, and social networks. The weakening of the Safe Harbor agreement limits European consumers’ access to valuable digital services and impedes trade and innovation. We urge the US and EU to agree on new rules for the transatlantic transfer of data, taking into account the CJEU’s judgment.
The UK, Germany, France and Spain have all been discovered spying on their own populations, as the NSA was. So there’s irony (or hypocrisy) in the CJEU’s decision. Complying with EU data protection rules doesn’t therefore mean that EU citizen’s data won’t be spied on or exposed to government authorities.
I have limited ability to comment on the technology implications of the CJEU decision except to say that either US tech companies will need to maintain European servers and not do any data transfer between countries or adopt tougher EU privacy standards globally.
Either way one looks at it, the decision creates new uncertainty and major challenges that will probably need to be resolved politically in a new agreement. But given the CJEU’s skepticism and cynicism there’s no guarantee that any international agreement will be trusted and upheld.
No comments:
Post a Comment