EU Safe Harbor ruling a blow to tech companies

Europe's top court declares invalid a pact allowing thousands of companies to transfer to the US information on users in the European Union's 28 countries – such as when someone clicks 'like' on Facebook or an advertisement link.

Dado Ruvic/Reuters/File
A 3D-printed Facebook logo is seen in front of the logo of the European Union in this file photo illustration made in Zenica, Bosnia and Herzegovina, May 15, 2015.

Europe's top court ruled Tuesday that data stored on U.S. servers is potentially unsafe because of government spying, a blow to companies such as Facebook that might need to change the way they handle private data from the region.

The court's decision declares invalid a pact allowing thousands of companies to transfer to the U.S. information on users in the European Union's 28 countries – such as when someone clicks "like" on Facebook or an advertisement link.

The case was brought by an Austrian law student in the wake of revelations by former U.S. National Security Agency contractor Edward Snowden of the extent of the NSA's surveillance programs.

Max Schrems complained that U.S. law doesn't offer sufficient protection against surveillance of data transferred by Facebook to servers in the United States.

The verdict could have far-reaching implications for companies operating in Europe as well as for the region's ailing economy.

The decision does not mean companies have to immediately stop transferring data to the U.S. Rather, it opens up the possibility that European regulators will be inundated by complaints by consumers, making it hugely difficult to do business.

"The message is clear – that mass surveillance is not possible and against fundamental rights in Europe," said Schrems after the ruling.

Companies, he added, "cannot just aid foreign spies and get away with it because they fall under European jurisdiction."

The so-called "safe harbor" agreement has allowed companies to send data on users from the EU to U.S. since 2000. That includes information on how users behave online, such as what pages they visit and where they spend money.

Since its creation, the agreement has helped facilitate Internet businesses, such as social media, which rely heavily on user data. Facebook and Google, for example, earn money from advertising that relies on data on how users behave on the Internet – what they search for and what they click on.

But the revelations of NSA spying have provoked a backlash from European consumers and governments.

In a separate case, for example, Google is being forced to consider Europeans' requests to delete from its search results links to content that they find offensive or inappropriate.

The European Commission, the EU's executive branch, has tried to revise the "safe harbor" agreement over the past two years and expects Tuesday's ruling will support that effort.

"Today's judgment is an important step towards upholding Europeans' fundamental rights to data protection," said European Commission Vice President Frans Timmermans. "In the light of the ruling we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic."

Schrems, the Austrian student, complained to the data protection authorities in Ireland, where Facebook has its European headquarters, that his information was not safe on U.S. servers.

Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU's executive Commission that under the "safe harbor" agreement, the U.S. ensures adequate data protection.

In Schrems' case, the Irish data commissioner will now be required to "decide whether ... transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data," the court said.

In a statement, Facebook said it's now "imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security."

The statement noted that the European court's advocate general "himself said that Facebook has done nothing wrong."

AmCham EU, which represents U.S. companies across all sectors in the EU, said the ruling could have serious implications for Europe's economy.

"We are concerned today's Court's decision will jeopardize the free flow of data across the Atlantic, compromise the EU economic recovery and negatively impact the Commission's goal to create a Digital Single Market," said Susan Danger, AmCham EU's managing director.

Markus J. Beyrer, the director general of lobby group BUSINESSEUROPE, warned that the judgment gives rise to "great legal uncertainty that must be remedied urgently."

He said several thousands of companies – and not just major corporations like Facebook – have relied on the pact allowing the transfer of data.

"The solution is not to revoke Safe Harbor, but to improve it," he said.

But achieving a new agreement will be difficult, says professor Felix Wu of Cardozo Law School in New York.

"Safe harbor was never designed to address U.S. government surveillance," he said. Because the 4th Amendment protecting U.S. citizens' privacy does not apply to people outside the U.S., the data agreement cannot adequately protect Europeans' data stored in the U.S.

While the EU and U.S. work on a new data sharing agreement, companies can continue to transfer information across the Atlantic, says the Commission's Timmermans.

He says the EU will provide guidance to national data protection authorities on how to deal with data transfer requests in light of the ruling.

"Our citizens need robust safeguards and businesses need legal certainty," he said. "The guidance should help avoiding a patchwork of potentially contradictory decisions by the national data protection authorities and therefore provides predictability for citizens and businesses."

Schrems was lauded by Snowden, the former NSA contractor who flew to Moscow two years ago after revealing information about the previously secret eavesdropping powers.

"You've changed the world for the better," Snowden said in a tweet.

____

Geir Moulson in Berlin and Raf Casert in Brussels contributed to the story.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.