U.S. Companies, Playing by European Rules

The American approach to safeguarding consumer data may not meet EU standards.

Max Schrems, the Austrian student who brought the suit.

Photographer: Christian Bruna/AFP/Getty Images

There is a strong likelihood that the European Court of Justice -- the European Union's highest judicial authority -- will act this year to strike down the regulation that allowed the unhindered transfer of personal data between the EU and the U.S. Although there are easy ways for U.S. tech companies to get around data transfer rules, this ruling would send an unintended message: Europe, in effect, would be making an official determination that the U.S. allows the abuse of private information.

Yves Bot, one of the European court's nine advocates general advised the court  to invalidate a 2000 European Commission decision that determined the U.S. was safe for personal data transfers. According to that decision, U.S. companies could simply declare themselves compliant with "Safe Harbor Privacy Principles" and were allowed to send Europeans' names, addresses, payment information, e-mails and private messages to U.S. servers in the course of online transactions. The regulation also allowed them to disclose the information to U.S. authorities, if required.

Bot wrote in his opinion -- which the court is likely to heed as it usually does for its advocates general -- that this sort of latitude didn't ensure the protection of Europeans' privacy rights. 

The case started with an Austrian law student's attempt to get Facebook to handle user privacy differently. Max Schrems started exploring the subject as an exchange student at Santa Clara University. He wanted to know whether Facebook complied with the European "right of access rule." Would the social media site send him all the data it held about him? After some initial difficulty, Facebook sent a CD containing more than 1,000 pages of his data, which had been used to target advertising and personalize his Facebook feed. Then he encouraged others to make similar requests, but Facebook stopped providing all the raw data it held. Schrems and others then complained to the Irish digital privacy authority: Facebook had moved its global headquarters to Ireland and was supposed to comply with its laws. The privacy office went easy on Facebook, but Schrems didn't give up: By now, he wanted to make sure the U.S. company was in full compliance with European rules.

He crowdsourced funds to challenge both Facebook and the Irish privacy watchdog in the courts. As part of his broader campaign to make sure the U.S. company was in full compliance with European rules, Schrems contended that Facebook made its users' personal data available to the National Security Agency as part of an operation revealed by the whistleblower Edward Snowden. The Irish High Court ruled that "personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data. Indeed, in the wake of the Snowden revelations, the available evidence presently admits of no other realistic conclusion." It also decided to refer the matter of whether the Safe Harbor decision was binding for digital privacy to officials in EU member countries.

The European Court of Justice will make its decision later this year. If it accepts Bot's opinion, and Schrems wins, the U.S. will no longer be a country that "ensures an adequate level of protection" for Europeans' data. For Facebook and the other 4,500 U.S. companies that operate under Safe Harbor, this might mean having to change their system architecture to store European data in Europe, which would be costly and cumbersome. DigitalEurope -- a trade group that includes the U.S. Internet giants -- already has expressed concern. 

The effects of a ruling against Facebook may be minimal: As Schrems pointed out in his comments on the Bot opinion, Article 26 of the European data privacy directive provides for exceptions to the rule forbidding data transfer to "unsafe" countries. For example, information may be sent if a user has allowed it. Forcing users to tick an extra box on forms is much easier than changing how data is stored globally. 

And even if companies were forced to store European's data in Europe, U.S. intelligence agencies could get access to it. Microsoft has denied an order to hand over oversees data and is fighting the U.S. government in the courts, but other companies may not be as principled. In any case, digital privacy is almost impossible to enforce. 

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.