- Judges say U.S. spies may get access to EU citizens' data
- EU citizens' right to privacy not guaranteed by U.S. rules
A trans-Atlantic pact that potentially allows U.S. spies to get their hands on European citizens’ private data was declared invalid by the EU’s highest court, a ruling that threatens to plunge Internet companies into a legal limbo.
Judges at the European Union’s top court struck down the so-called safe-harbor accord after an Austrian law student complained about how U.S. security services can gain unfettered access to Facebook Inc. customer information sent to the U.S. The ruling affects more than 4,000 companies, ranging from tech giant Google Inc. to cereal maker Kellogg Co.
The 15-year-old agreement, which allows American companies to move commercial data back to the U.S., compromises the privacy of EU citizens and their right to challenge the use of their information, the EU Court of Justice in Luxembourg said Tuesday.
“This judgment is a bombshell,” said Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels. “The EU’s highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbor. All these companies are now forced to find an alternative mechanism for their data transfers to the U.S. And, this, basically overnight.”
The EU’s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the EU’s tribunal to decide whether the deal still protects privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S.
The pact, drafted in the pre-9/11 days, was designed to facilitate trade by allowing U.S. companies with activities in Europe to shift information between their sites. It allowed companies to transfer data provided they adhered to a list of principles designed to ensure privacy isn’t breached.
U.S. legislation “permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” the EU court said in a binding ruling. The pact “is accordingly invalid.”
Austrian privacy activist Max Schrems, 28, triggered the case with a complaint he filed against Facebook with the privacy watchdog in Ireland, where the U.S. social network company has its European base. He alleged that Facebook’s Irish unit illegally handed over data to U.S. spies. Schrems had previously filed 22 complaints against the Menlo Park, California-based company.
No Quick Fix
“The ruling won’t make it very easy to repair this and a quick fix won’t be possible either,” Schrems told reporters in Luxembourg. “But it’s the first time that something actually happens in this entire mass surveillance box.”
The court’s ruling wasn’t surprising but could “potentially be disruptive” to U.S. companies, Michael Daniel, the White House’s cybersecurity coordinator said in an interview in Washington Tuesday.
The judgment “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy,” American commerce secretary Penny Pritzker said in a statement.
While Tuesday’s ruling will add to the clamor to negotiate Safe Harbor 2.0, it immediately revealed splits between EU governments.
German Justice Minister Heiko Maas described the judgment as a “strong signal” for the European Commission to “fight for our data protection standards internationally.”
The British government called the ruling “disappointing,” saying “there is an important principle here that companies must be able to transfer data to third-party countries.”
EU officials said their aim is step up discussions with the U.S. to reach a new Safe Harbor pact.
The EU has “received very strong commitments from the U.S. that there will be strong monitoring” of data use under any new agreement, EU Justice Commissioner Vera Jourova, in charge of data protection issues at the European Commission, told reporters in Strasbourg, France.
Daniel, the White House cybersecurity expert, is confident an agreement will be reached.
“I am convinced that it will be in the interest of both the United States and Europe to figure out how to enable data to flow for commercial purposes across the Atlantic in either direction,” he said. “Ultimately we will figure out how to do that."
The urgency of the ruling was highlighted by the speed of the judgment, just days after an adviser to the EU court described the safe harbor as illegal.
“Companies have worked under this agreement for 15 years,” said Christian Borggreen, Europe director at the Computer & Communications Industry Association, a lobby group based in Washington, D.C. and Brussels. “There’s a lot of uncertainty. The first question that all companies are asking the European Commission is: ‘Now what?”
Facebook, like other tech giants, have been reeling from the effects of the Snowden revelations in 2013. The companies have been trying to assure their users or customers that their products are secure and that they don’t willingly turn over data to the U.S. government.
“The bigger the size of the company, the more likely they are to be on the Safe Harbor certified list,” said Tom De Cordier, a lawyer at CMS DeBacker in Brussels. “If you have 20 or 50 different legal entities in the U.S., it is easier to have safe harbor than to have to go through the whole set of intra-group data transfer agreements.”
“There are a number of other tools that companies can use,” including model clauses that can be copied and pasted into agreements or binding corporate rules, which are sets of unilateral privacy commitments, said De Cordier by phone. While they can be popular, some of these options are “cumbersome” and can “cause a bit of an administrative nightmare.”
Facebook said the case is about mechanisms of European law rather than individual firms.
There are workarounds, and Facebook said in a statement that it, “like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from safe harbor.”
“It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” Facebook said in a statement.
Kellogg’s press office didn’t immediately respond to e-mails asking for reaction to the ruling. Yahoo said the decision “creates uncertainty” for companies.
The court’s decision could disrupt the ability of intelligence agencies to obtain data critical to preventing terrorist attacks, former U.S. National Security Advisor James Jones said in an interview in Washington.
"During my time in the White House, we prevented several attacks on European soil by transferring information very quickly to our friends in Europe," said Jones, who served under President Barack Obama from 2009 to 2010. Disrupting information sharing means "we’re all swimming by ourselves," Jones said.
Peter Olson, president of DigitalEurope, a trade group with members including Google and Microsoft Corp. said the commission should “immediately issue guidance to companies operating under the safe harbor framework to ensure that essential and routine commercial activities can occur during the current legal vacuum.”
The EU and the U.S. should also, as a matter of urgency, conclude their long-running negotiations to provide a new safe harbor agreement, he said.
The case is: C-362/14, Maximilian Schrems v. Data Protection Commissioner.