What began as one student's complaint against Facebook has swelled into an international battle over privacy, one that could reshape how personal data is protected across Europe and the United States, and how Silicon Valley traffics citizens' information.
In a landmark ruling, the European Court of Justice struck down an arrangement known as Safe Harbor, which allows American tech companies to transfer data of European citizens to the U.S. without outside scrutiny from EU regulators. While the Safe Harbor agreement requires American firms maintain high consumer data protection standards, equivalent to European ones, the high court ruled that the arrangement violates citizens' fundamental rights to privacy and judicial protection.
The court found that American national security and law enforcement interests have intruded upon the fundamental rights Safe Harbor is meant to protect. The initial privacy complaint that inspired the court's ruling, lodged by Maximillian Schrems of Austria, cited a massive U.S. surveillance program involving American internet companies. Known as PRISM, the program was revealed to the public in 2013 through the disclosures of Edward Snowden.
While American businesses can use means beyond Safe Harbor to transfer information across the Atlantic, the tech industry believes them to be costly and cumbersome. And it worries that a shattered Safe Harbor will put global commerce in a state of limbo. Some 4,000 American and European businesses rely on the data agreement, which was first established in 2000.
Christian Borggreen, the Europe director of the Computer and Communications Industry Association, representing Amazon, Google, and Microsoft, said in a statement Tuesday that the European Court of Justice's ruling creates uncertainty for companies that rely on the agreement. "We expect that a suspension of Safe Harbor will negatively impact Europe's economy, hurt small- and medium-sized enterprises, and the consumers who use their services the most," he said. "It is imperative that the EU does not become a disconnected island in a global digital economy."
The Internet Association, another major tech industry advocacy group, emphasized the need for regulatory guidance, now that the arrangement has been invalidated. CEO Michael Beckerman also urged Congress in a statement to pass a surveillance law that would extend certain legal protections to European citizens.
While Facebook does not rely on Safe Harbor to transfer its information, the company would still like to see the larger U.S.–EU dispute over surveillance and data protection settled. "It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security," a Facebook spokesperson told BuzzFeed News.
The first official response from the U.S. government was one of frustration. Secretary of Commerce Penny Pritzker said that American and European officials have been negotiating an update to the Safe Harbor framework for the past two years, with the goal of shaping more robust and transparent data protections. "We are deeply disappointed in today's decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy," she said. "Among other things, the decision does not credit the benefits to privacy and growth that have been afforded by this framework over the last 15 years." Pritzker joined tech industry officials in calling for a swift rejuvenation of an updated Safe Harbor.
In the coming days, the European Commission, the executive arm of the EU, will meet with data protection regulators across Europe to determine what the ruling means in practice. "Our citizens need robust safeguards and businesses need legal certainty," said Commission Vice-President Frans Timmermans during a press conference Tuesday afternoon. In addition to the potential economic impact of the court's ruling, data protection authorities in each of the EU's member states can investigate the data transfers of American businesses operating in Europe. Without Safe Harbor shielding U.S. firms, these regulators are empowered to scrutinize and curtail data transfers that don't meet European standards.
During the same press conference, Commissioner Vera Jourová said that following the Snowden revelations of 2013, the commission offered 13 recommendations to their U.S. counterparts to improve the Safe Harbor arrangement. While she had hoped to conclude negotiations by this summer, Jourová said several national security items remained sticking points. She declined to say when negotiations between the EU and U.S. would conclude, but she joined Secretary Pritzker in aiming to establish a new, improved data arrangement with haste.
"The ruling confirmed that we are doing the right thing, that we are negotiating a safer Safe Harbor," she said. For the commission, the court's judgment strengthens the European position. "This gives us better potential," she said.
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.