In June 2013, Austrian resident Max Schrems asked Ireland’s data-protection commissioner to prevent Facebook from transferring his data to the United States. Because all European Facebook users must agree to have their data transferred overseas for processing, they lose the protection of Europe’s Data Protection Directive, and Schrems worried that his personal data could not be protected under U.S. law.
While a legal framework known as the Safe Harbor provision requires that U.S. companies agree to protect European citizens’ data, documents leaked by former U.S. National Security Agency contractor Edward Snowden highlighted that the companies also provided data to counter-terrorism agencies through a variety of intelligence programs.
Schrems’ case was initially denied. In a ruling released on on Oct. 6 that has shaken multinational corporations, however, the European Union’s highest legal authority ruled that Safe Harbor is invalid and returned power to each European country’s data-protection commissioner to review cases.
The ruling puts U.S. companies in legal jeopardy. No longer can they be assured that their data-collection practices will not be challenged by European citizens and the legality of transferring data from the EU s a legal gray area.
“This causes all sorts of headaches for any multi-national company that needs to operate in both countries,” Omer Tene, vice president of research for the International Association of Privacy Professionals, told eWEEK. While Facebook is the company against which Schrems filed his complaint, any corporation that transfers data across the Internet is in equal jeopardy, Tene said. “It could have been anyone else, not just Facebook. He could have filed against any company that had operations in both countries.”
The case is the latest fallout from the NSA’s approach to counter-terrorism and intelligence-gathering. As revealed by former NSA contractor Snowden, the intelligence agency had regular access to Internet and telecommunications companies’ customer data through secretive court orders and, when such access was not enough, through compromising networking hardware used by multinational companies and Internet firms. Paired with the United States’ lack of unified protections for citizens’ privacy, the issue has left the nation vulnerable to questions about how companies can protect the data of other nations’ citizens.
Privacy Laws Set the Bar
The European Union has a strong legal framework for the protection of personal data. Established in 1995, the Data Protection Directive, also known more formally as Directive 95/46/EC, prohibited data from moving outside the EU to countries with lesser protections, until negotiations between the European Commission and the United States created the Safe Harbor agreement. Companies following Safe Harbor can certify to the U.S. Department of Commerce that they are abiding by Europe’s more stringent privacy regulations. Any violation of the business’ pledges can be prosecuted by the U.S. Federal Trade Commission under its mandate to enforce fair trade practices.
“We have a lot of privacy laws that are industry-specific, or are specific to the type of data,” Chiara Portner, partner at law firm Paradigm Counsel LLP, told eWEEK. “There is no overarching privacy law, like they have in the EU.”
Scuttling of Safe Harbor Leaves Companies in Holding Pattern
Yet, in November 2013, the European Commission published an analysis of the impact of U.S. national security policy on the privacy of European citizens, finding that personal data handled by multinational companies could be “accessed and further processed by U.S. authorities in a way incompatible with the grounds on which the data was originally collected” under European law. The EU Court of Justice’s ruling cites that finding as undermining the effectiveness of the Safe Harbor framework.
The ruling leaves companies, especially Internet firms and cloud providers, in a gray zone, Fred Kost, senior vice president at HyTrust, a virtualization management firm, said in a statement.
“Safe Harbor allowed self-certification that adequate measures were being taken to protect data,” Kost said. “With the adoption of the cloud and the loss of Safe Harbor, companies face harsh requirements on the location and protection of data stored by them.”
Little to Worry About, Initially
For the most part, however, little will immediately change. Companies abiding by Safe Harbor in good faith will have little to worry about, at least, initially, IAPP’s Tene said. Many of the largest companies have already created ways to deal with the issues, segmenting customer data, and the storage of that data, by jurisdiction.
“If you are Microsoft or Pfizer, or a Fortune 100 company, chances are you have already solved the problem,” Tene said. “They knew this was coming; it was not a big surprise. But if you are a smaller company, then you face a lot of confusion.”
Others will have to wait to see how EU regulators respond. The most clarity would be provided by negotiations that are already underway between the European Union and the United States over a second Safe Harbor framework.
“The ruling now puts a lot of pressure on the EU Commission to finalize a new agreement, which is already in progress,” said Sean Sullivan, an advisor at security software firm F-Secure.
Yet the European Union could make it very hard on U.S. businesses, depending on the motives driving the ruling, Daniel Arthursson, CEO of CloudMe, a cloud storage and file synchronization solution, said in a statement provided to eWEEK. If the EU government aims to stop all unauthorized access to personal data, any U.S. company, no matter whether they store data in the United States or the European Union, will be suspect, as they still have to abide by U.S. laws as well, he said.
“The declaration of invalidity of the Safe Harbor Act to protect EU citizen privacy will have far larger repercussions for U.S. cloud services than most people realize,” he said. “U.S. entities, including subsidiaries operating overseas, are required to comply with U.S. law and may be ordered to disclose information from its EU data centers—quickly eliminating this as a viable solution to the problem.”
In the end, the situation will be a tricky one to solve. Unless companies have the ability to refuse access requests from the National Security Agency—or any other nation’s intelligence or law-enforcement agency—they will always have to be subject to search warrants and national security letter, F-Secure’s Sullivan said.
“The NSA asks for information on a target–and Facebook delivers the details,” Sullivan said. “That is still possible, regardless of any safe harbors.”
The outcome of the debate will rely on whether security trumps privacy, or the other way around. Rather than try to protect personal data against such requests, governments may agree that they are necessary, Sullivan said. It’ not unreasonable, if the power is not abused.
“Based on Facebook’s transparency reports—it really doesn’t happen all that often,” he said.