Citing NSA Spying, European Court Kills Data Transfer Agreement Between EU & US
Underlying case claimed EU citizen Facebook data, transferred to US servers, exposed it to potential US government spying.
The two-year old Snowden-NSA spying revelations have fueled a growing climate of hostility toward Google, Facebook and other US tech companies in Europe. And earlier today, the European Court of Justice (CJEU) cited Snowden to kill a long-established Safe Harbor agreement that allowed the transfer and processing of data between servers in the US and Europe.
The case has broad implications for companies that do business in Europe beyond the tech sector. As a practical matter, every company moving any kind of data or personal information involving EU citizens outside of Europe will need to comply with stringent EU privacy rules (that are about to get stricter). It also potentially “Balkanizes” privacy enforcement across Europe, likely giving country-level regulators more power over non-EU entities and corporations.
The ruling probably also sets the stage for private legal remedies by EU citizens against corporations doing business in Europe before local data protection authorities and courts. The Safe Harbor agreement had effectively preempted such individual rights and potential claims. Thus the fallout from the CJEU decision could make doing business in Europe much more complex and potentially costly.
The underlying action was brought against Facebook by Austrian student and privacy activist Max Schrems, who complained about Facebook’s alleged lack of data protection under EU law. He argued that in light of the 2013 Snowden revelations, the transfer of data from Facebook’s Ireland-based subsidiary to the US violated European regulations because it exposed EU data to US government spying.
Irish regulators denied the complaint on the basis of the international US–EU Safe Habor agreement. It was appealed and went to Ireland’s highest court. The decision today by the CJEU invalidates the agreement and remands the matter to Irish data protection regulators to consider Schrems’s complaint.
At issue is whether “transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.” The CJEU decision, embedded below, makes the Irish regulator’s decision a foregone conclusion: the answer is yes.
The IAB sent out a public statement on the decision that laments its potential impact on EU–US business relations:
Today’s decision by the European Court of Justice jeopardizes thousands of businesses across the Atlantic. For nearly 15 years, the Safe Harbor agreement has provided IAB member companies with an efficient means to comply with EU privacy law. Thanks in part to the Safe Harbor agreement, The US and EU are among the world’s most vibrant digital advertising marketplaces, together representing $84 billion in annual revenue, or nearly two thirds of global digital advertising revenues. This robust digital advertising ecosystem has provided citizens across Europe with countless free digital services, including news, entertainment, email, and social networks. The weakening of the Safe Harbor agreement limits European consumers’ access to valuable digital services and impedes trade and innovation. We urge the US and EU to agree on new rules for the transatlantic transfer of data, taking into account the CJEU’s judgment.
The UK, Germany, France and Spain have all been discovered spying on their own populations, as the NSA was. So there’s irony (or hypocrisy) in the CJEU’s decision. Complying with EU data protection rules doesn’t therefore mean that EU citizens’ data won’t be spied on or exposed to government authorities.
I have limited ability to comment on the technology implications of the CJEU decision, except to say that US tech companies will either need to maintain European servers and not do any data transfer between countries or adopt tougher EU privacy standards globally.
Either way one looks at it, the decision creates new uncertainty and major challenges that will probably need to be resolved politically in a new agreement. But given the CJEU’s skepticism and cynicism, there’s no guarantee that any new international agreement would be trusted and upheld.
Postscript: The following statement about the decision was issued today by US Secretary of Commerce Penny Pritzker:
Since 2000, the Safe Harbor Framework has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU. We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy. Among other things, the decision does not credit the benefits to privacy and growth that have been afforded by this Framework over the last 15 years.
For the last two years, we have worked closely with the European Commission to strengthen the U.S.-EU Safe Harbor Framework, with robust and transparent protection, including clear oversight by the Department of Commerce and strong enforcement by the U.S. Federal Trade Commission.
The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible.
We are prepared to work with the European Commission to address uncertainty created by the court decision so that the thousands of U.S. and EU businesses that have complied in good faith with the Safe Harbor and provided robust protection of EU citizens’ privacy in accordance with the Framework’s principles can continue to grow the world’s digital economy.