Adam Morton takes a look at the potential impact of the European Court of Justice’s ruling on the transfer of data to America.
In what has been described as a watershed moment in the transatlantic digital relationship, the European Court of Justice recently sided with a 28-year-old law student from Austria who challenged the legality of the 15-year-old pact between the United States and the European Union. The pact, commonly known as the Safe Harbour clause, allowed technology companies to ship personal information about their European users to America. This was allowed despite the fact that American privacy regulations are viewed as significantly weaker than those on this side of the Atlantic.
Max Schrems complaint was filed against Facebook to data regulators in Ireland, where the social networking company’s European headquarters is based. He argued that letting so much data flow to the United States has exposed Europeans to American spying. Schrems originally took his case to the high court after the Irish data protection commissioner, Helen Dixon, refused to investigate his concerns on the grounds that the provision was overseen by the European commission.
The case was ultimately referred to the European Court of Justice by the case judge and with their ruling now in place, the data protection commissioner must now decide whether the transfer of the data of Facebook’s European subscribers to the United States should be suspended on the grounds that the country does not afford an adequate level of protection of personal data.
A new agreement
The ruling did not come completely out of the blue, it is a ratification of the European Union’s Advocate General’s opinion on Safe Harbour but was not expected quite so soon. A new safe harbour agreement is currently being negotiated between the European Union and the United States and has been in negotiation for the last two years, following the Snowden revelations.
The European Union has been trying to limit the United States’ government’s access to its citizens’ data stored in the United States and to allow European Union citizens to sue American companies in American courts should they misuse their data. The European Union has been using the threat of vetoing future trade agreements as a stick, but an agreement has yet to be struck. The new ruling is likely to light a fire under the proceedings as a new agreement is needed to help lubricate international trade in services.
The transfer of data has become such a large part of how business is conducted today. Millions of people around the world have become used to the idea of collaboration with co-workers, customers and vendors across the world on their own terms, so much so, that it is now considered the norm. This ruling has brought an abrupt halt to that concept and has left the roughly 4,000 companies that rely solely on the safe harbour provision wondering where to turn next.
Prior to this ruling, data stored about European citizens such as their Facebook posts, tweets or Gmail messages had been available for export to American based data centres, where the data could be stored, processed and re-exported without the scrutiny of the formal regulatory process they would get in Europe. Now thanks to this ruling, without alternative legal solutions in place, American companies who transfer data from Europe to their United States based data centres, risk a fine or orders to suspend data.
With the Safe Harbour clause now rendered invalid, companies like Apple, Facebook, Google and Microsoft will have to look at striking model contract clauses to allow their business model to continue. A model contract clause is a guarantee that the data transferred out of the European Union’s jurisdiction will be held and accessed in accordance with the European Union’s regulations. In reality, for large organisations like those listed above, this is likely to result in little more than a lot of paperwork. Many may even already have model contract clauses in place and some will even have European based data centres that will be able to use to comply with this ruling.
This ruling has brought an abrupt halt to that concept and has left the roughly 4,000 companies that rely solely on the safe harbour provision wondering where to turn next.
End users and start-ups
For end users, the impact of the ruling is unlikely to be obvious, as very few major firms are likely to be affected in a way that the end user will be able to recognise. However, some smaller companies may find the ruling to be very costly. Jan Rezab, the founder of socialbakers, a social analytics company based in the Czech Republic claims that this ruling will cost his firm millions as it is forced to shift the data it has stored on American based infrastructure back to Europe.
Some commentators have also suggested that this ruling will close off European shores for smaller companies based outside of Europe looking to expand. They point to the example of Airbnb, a website for people to list, find and rent lodgings that was founded in California in 2008. Airbnb expanded into Germany in 2011 and was the American company’s first international location. However, without the ability to transfer data to their United States base, many commentators believe they may have turned to Asia instead.
Despite these claims about the potential negative impact this ruling may have on Europe’s digital sector, there are also those, including the French privacy watchdog, CNIL, who regard the ruling as a positive. They argue that rulings such as this may actually aid European start-ups by forcing international companies to comply with Europe’s higher privacy standards putting them on an equal footing with American internet companies.
The stakes are high and data sharing should no longer be taken for granted. Companies and their cloud providers are more responsible than ever for their data sovereignty, and there is no one to point the finger at but themselves if they face consequences from ignoring or abusing data processes.