Advertisement

'Safe harbour' data ruling leaves U.S. companies in legal limbo

A recent court ruling may boost the European Union's efforts to reassert authority over how its citizens' data is being treated and pressure other countries into creating privacy laws that are considered more equitable across borders.

U.S.-based internet companies like Facebook, Amazon and Google are now likely scrambling to determine if they need to change their European operations after a judge in the European Union's highest court ruled Tuesday that the agreement allowing them to transfer data to the United States violates Europeans' rights.

"This is definitely difficult for companies to deal with and it's not a problem of their making either. It's the governments' laws," says Tamir Israel, a staff lawyer at the University of Ottawa's Canadian Internet Policy and Public Interest Clinic.

"But I think that paradigm does need to change."

Many countries offer their citizens some level of protection to keep their online data gathered by giant internet companies somewhat free from government scrutiny. Often, those same protections don't apply to people outside that country's borders.

"The privacy of non-citizens is essentially in a black box right now," says Israel.

Countries can create laws to limit government surveillance of their citizens' data, but can't necessarily impose laws on how other countries treat their residents' online information, he says.

"It's this big kind of international black hole."

The safe-harbour deal

The recent legal battle started years ago, when ​Maximillian Schrems, a law student in Europe and privacy advocate, complained Facebook wasn't protecting his data from U.S. authorities.

His complaint came after revelations from former NSA contractor Edward Snowden suggested Europeans' personal data collected by internet companies and sent back to the U.S. may end up in the hands of government agencies.

Snowden released internal NSA documents that alleged a program called Prism gave the U.S. government backdoor access to data collected by companies like Facebook and Google.

The EU requires companies outside its borders to live up to its strict data privacy policy, which was passed in the late 1990s.

In some countries, existing privacy laws were deemed adequate to ensure sufficient protection for Europeans' data, says Colin Bennett, a political science professor at the University of Victoria.

Canada's privacy laws, contained in the Personal Information Protection and Electronic Documents Act (PIPEDA), were among these.

The U.S., on the other hand, doesn't have a comprehensive privacy law, he says. So the EU and the U.S. negotiated the U.S.-EU Safe Harbour deal to allow U.S. companies to send Europeans' personal data to the U.S. and other non-EU nations.

To do so, U.S. companies must self-certify annually by proving their practices follow the EU's rules on data protection. They must adhere to the seven principles of notice, choice, onward transfer, access, security, data integrity and enforcement.

Facebook is certified, according to export.gov, which lists more than 5,000 companies that currently or at some point have adhered to the deal's guidelines. Google, Amazon, Apple, Twitter and eBay are all also listed as compliant.

Deal tossed out

The Prism program allegations, however, suggested Facebook user data sent from Europe to the U.S. may be accessed by U.S. government officials, Schrems argued.

He first complained to the Irish data protection commissioner, who rejected his claim, pointing to the existence of the safe-harbour deal. The Irish authorities were the first point of contact as Facebook's European headquarters are in the country.

The complaint from Schrems wound its way through European courts, until the EU's highest court, the Court of Justice of the European Union, ruled the Irish authority erred in not investigating. The Irish data protection commissioner will now have to fully investigate the complaint.

The court also found the safe-harbour agreement had too many broad exemptions allowing U.S. authorities access to Europeans' data, Bennett says.

"Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the court's judgement read. Europeans' fundamental rights are outlined in the EU Charter of Fundamental Rights.

In its finding, the court nullified the safe-harbour agreement.

Uncertain future

This creates a problem for companies like Facebook that need to move data from EU countries to their U.S. servers.

Bennett sees three possible solutions, with varying degrees of likelihood.

U.S. companies could house European data on servers on the continent, he says, but that would cause multiple logistical issues.

The U.S. Congress could pass a general privacy law that, like Canada's, the EU could deem adequate. There is a "really remote" chance of that happening, he says, considering the political battles within Congress.

Most likely, the EU and the U.S. will negotiate a new version of the safe-harbour deal that will be "a lot stronger" than the current version, Bennett says. Negotiations started taking place already in anticipation of Tuesday's judgement.

But it's a problem that won't be solved overnight, says Israel, because any of the possible solutions takes time.

That leaves U.S. companies with European operations in a bit of legal limbo. It's possible the EU could impose fines or threaten jail time for companies it deems break its privacy laws, he says, but that's unlikely in the near future.

The EU is likely to wait for negotiations to end with the U.S. before starting to "rigidly" enforce these orders, he says.

It's "imperative" that the two governments "continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security," an unidentified Facebook spokesperson said in a statement.