A ruling by the European Union's highest court today may create enormous headaches for US tech companies like Google and Facebook. But it could also provide more robust privacy protections for European citizens. And they all have Edward Snowden to thank---or blame.
Up until now, these companies have been able to transfer data they collect from users in the European Union to servers in the US, a practice made possible by the EU's executive branch's so-called "Safe Harbor Decision" in 2000. Today, the Court of Justice of the European Union ruled that the Safe Harbor Decision was invalid. The ruling cannot be appealed.
Now tech companies have to figure out what the ruling means. Facebook and other companies haven't been found guilty of any wrongdoing. But quashing the Safe Harbor Decision could open the floodgates to privacy investigations and lawsuits.
Where does Snowden fit in?
The Safe Harbor Decision held that the US provided adequate safeguards for personal information and that no company transferring data from the EU to the US would be prosecuted for doing so. That determination was overruled today as a result of a legal complaint filed against Facebook in Ireland by Austrian activist Maximillian Schrems. Schrems argued that, based on information about the National Security Agency's practices leaked by Edward Snowden in 2013, the US does not actually provide sufficient protection of private data and that Facebook therefore acted illegally by transferring his private data to its servers in the US. The Irish court found that Facebook was protected by the Safe Harbor Decision. As a result of today's ruling, however, the complaint Irish authorities must judge the complaint based on its own merits without regard for Safe Harbor.
Although the Court of Justice did find that the US provided inadequate safeguards for individual privacy, the ruling does not necessarily mean that Facebook, or any other country, will be found guilty of breaking the law. Rather, it places that decision-making authority in the hands of the supervisory authorities of individual EU countries, such as Ireland, as opposed to the European Commission, the EU's executive branch. That's why the consequences of the decision are so unclear at the moment.
And that's what's fueling angst in the tech industry. The European technology organization DIGITALEUROPE worries that the court ruling will have a major economic impact on the region. "The immediate invalidation of transatlantic data flows will cause immediate harm to Europe’s data economy and will negatively impact countless consumers, employees and employers," the organization said in a statement.
"We have grave concerns about the long-term implications this Judgement will have on the way Europe transfers data to the rest of the world."
Privacy advocates, on the other hand, hailed the decision as a victory. "Edward Snowden's revelations show that the U.S. cannot expect to continue to be the custodian of the world's information unless it strengthens its laws to protect our data," the non-profit organization Privacy International said today. "Americans deserve stronger protections, and so does everyone who transacts with American companies. Any modern economy must properly protect people's data."
Still, even keeping data on EU soil might not be enough to keep it private. Observers have argued for years that, under the Patriot Act, US companies storing data in foreign countries could be compelled to turn that data over to the US government, regardless of the laws governing the country in which the data actually resides.
