In June 2013, Austrian resident Max Schrems asked Ireland's data-protection commissioner to prevent Facebook from transferring his data to the United States. Because all European Facebook users must agree to have their data transferred overseas for processing, they lose the protection of Europe's Data Protection Directive, and Schrems worried that his personal data could not be protected under U.S. law.
While a legal framework known as the Safe Harbor provision requires that U.S. companies agree to protect European citizens' data, documents leaked by former U.S. National Security Agency contractor Edward Snowden highlighted that the companies also provided data to counter-terrorism agencies through a variety of intelligence programs.
Schrems' case was initially denied. In a ruling released on on Oct. 6 that has shaken multinational corporations, however, the European Union's highest legal authority ruled that Safe Harbor is invalid and returned power to each European country's data-protection commissioner to review cases.
The ruling puts U.S. companies in legal jeopardy. No longer can they be assured that their data-collection practices will not be challenged by European citizens and the legality of transferring data from the EU s a legal gray area.
"This causes all sorts of headaches for any multi-national company that needs to operate in both countries," Omer Tene, vice president of research for the International Association of Privacy Professionals, told eWEEK. While Facebook is the company against which Schrems filed his complaint, any corporation that transfers data across the Internet is in equal jeopardy, Tene said. "It could have been anyone else, not just Facebook. He could have filed against any company that had operations in both countries."
The case is the latest fallout from the NSA's approach to counter-terrorism and intelligence-gathering. As revealed by former NSA contractor Snowden, the intelligence agency had regular access to Internet and telecommunications companies' customer data through secretive court orders and, when such access was not enough, through compromising networking hardware used by multinational companies and Internet firms. Paired with the United States' lack of unified protections for citizens' privacy, the issue has left the nation vulnerable to questions about how companies can protect the data of other nations' citizens.
Privacy Laws Set the Bar
The European Union has a strong legal framework for the protection of personal data. Established in 1995, the Data Protection Directive, also known more formally as Directive 95/46/EC, prohibited data from moving outside the EU to countries with lesser protections, until negotiations between the European Commission and the United States created the Safe Harbor agreement. Companies following Safe Harbor can certify to the U.S. Department of Commerce that they are abiding by Europe's more stringent privacy regulations. Any violation of the business' pledges can be prosecuted by the U.S. Federal Trade Commission under its mandate to enforce fair trade practices.
"We have a lot of privacy laws that are industry-specific, or are specific to the type of data," Chiara Portner, partner at law firm Paradigm Counsel LLP, told eWEEK. "There is no overarching privacy law, like they have in the EU."