Europe’s ruling on the 15-year-old Safe Harbour treaty marks increasing concerns about American tech companies’ use of personal data
Max Schrems, a 28-year-old Austrian law student, became an international sensation last week, when years of campaigning ended with him forcing Europe’s top court to deal a huge blow to America’s technology industry.
The European Court of Justice issued a bombshell ruling, declaring invalid a treaty that gave thousands of US companies the freedom to move Europeans’ data across the Atlantic.
“Safe Harbour”, a pact signed in 2000 between the European Commission, the US and Switzerland, allowed more than 4,400 American businesses operating in Europe including Facebook, Google and Apple to effectively bypass rules on moving data abroad.
In scrapping Safe Harbour, the European Court of Justice threatened to spark a diplomatic row. The White House said it was “deeply disappointed” with the decision.
One US senator accused the European court of “nothing less than protectionism… that will wreak havoc on businesses on both sides of the Atlantic”. Several tech companies said they would have to make changes to ensure they could continue to operate.
The decision also crystallises a growing suspicion of US technology companies that has been steadily manifesting since the whistleblowerEdward Snowden blew the lid off the American government’s digital spying programmes.
Businesses based in America bring European data back home for all kinds of legitimate reasons. HR departments might need information about staff based abroad, or it may be cheaper to keep data on servers in the US rather than setting up new ones in Europe.
For 15 years, the Safe Harbour treaty overrode the scrutiny of national regulators, which must enforce data protection rules when personal information is moved by a company to a foreign server. It was largely agreed that America was a safe place for Europeans’ data to be.
But in the last two years, concerns have increased about a consequence of data being sent abroad: the potential for snooping. Allegations made by Snowden, the US intelligence services contractor-turned whistleblower, that the US National Security Agency’s Prism programme gives it a backdoor into Facebook, Google and Microsoft have raised new questions about the US internet companies’ relationships with the US government.
Schrems, a campaigner who says he became interested in data protection laws after attending a lecture in which a Facebook lawyer downplayed European privacy laws, saw this.
He challenged the Data Protection Commissioner (DPC) in Ireland, where Facebook bases its European operations, to investigate the social network’s compliance with data protection rules claiming Snowden’s disclosures showed that the US doesn’t protect European citizens’ data.
When the DPC refused, calling the claims “frivolous”, Schrems took them to court, a process that eventually made its way to Europe’s highest court.
“The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Yves Bot, the ECJ advocate general said ahead of Tuesday’s ruling.
“The surveillance carried out … is mass, indiscriminate surveillance.”
After the ruling, America’s technology giants, nervous about any perception they were letting government spooks access user data, were quick to downplay its immediate significance, saying they were still allowed to move data thanks to other legal arrangements, such as customer agreements. “This case is not about Facebook. The advocate general himself said that Facebook has done nothing wrong,” a spokesman for the social network said.
“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour.”
Microsoft said: “We don’t believe today’s ruling has a significant impact on our consumer services.”
Others, however, were not so dismissive of the ruling. Companies including Box, a cloud computing provider, said it would open data centres in Europe in light of the ruling.
CA Technologies, a New York-based software company, said: “Secure data flows around the whole world have become the lifeblood of economies, so we have very strong concerns about the implications of today’s judgment.”
“The consequence of the decision will go beyond Safe Harbour, creating the risk of a fragmented approach in Europe towards international data transfers.”
But even if the immediate consequences of the ruling are not obvious, last week’s decision cannot be taken in isolation. Since Snowden’s revelations, US tech groups have found life in Europe significantly more difficult.
Google, which has been under investigation on the Continent for five years over claims that it abuses its search engine monopoly, has faced extra scrutiny in recent months. It has been hit with a formal claim on the matter from Europe’s new competition commissioner as well as facing a second probe into Android, its mobile operating system.
Microsoft, meanwhile, is fighting a very public legal battle with the US government over data stored in Ireland, which it refuses to hand over to the FBI. It has called the matter of data privacy “fundamental to the future of global technology”.
Facebook, meanwhile, continues to be under pressure from Schrems and his “Europe v Facebook” campaign, which is attempting to claim damages for thousands of users from the social network for violating data laws.
The European Commission and US have been working on a new version of Safe Harbour for two years. But negotiations will take place in a very different atmosphere from 2000. A “safer Safe Harbour”, as Vera Jourová, the EU’s justice commissioner, termed the new treaty last week, will be agreed on substantially changed terms.