The legal wrangling between US corporations and the EU over the transfer of user data could potentially have huge consequences for individuals and businesses on both sides of the Atlantic. The ongoing battle taking place at the Irish High Court is just one aspect of what is becoming an increasingly complicated issue.
How it began
The dispute over the EU’s Safe Harbour ruling can trace its roots back to what may be a defining moment in Internet history: Edward Snowden’s NSA revelations of 2013. Under the Safe Harbour scheme, US corporations can collect data from its European customers but only if certain criteria are met, chiefly that US organisations protect it from being “lost, stolen or destroyed.” Of course, in light of widespread US government surveillance, digital companies could no longer claim, with much certainty at least, that they were capable of protecting data relating to EU citizens.
This led Maximillian Schrems, an Austrian privacy campaigner, to make a complaint against Facebook Ireland (the subsidiary that sends data to the company’s US headquarters), claiming that his personal information was not adequately protected. The Irish High Court, however, believed that it was powerless to intervene under the Safe Harbour agreement, which led it to seek advice from the European Court of Justice (ECJ).
The current situation
Last month, the ECJ gave its response to the case of Schrems vs the Irish Data Protection Commissioner recommending that the Safe Harbour agreement be scrapped, predominantly because “once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation (FBI) are able to access it in the course of a mass and indiscriminate surveillance.”
Immediately, this has led some US corporations to amend their terms of service and many more to worry about the future of their overseas operations. It has also meant that the Mr Schrems complaint against Facebook has now been upheld and that the social network’s data transfers to the US will now be formally investigated.
The potential aftermath
Much of the long term fallout of the Safe Harbour ruling will depend on what legislation ultimately replaces the now-invalid agreement. One possible outcome is that many US businesses (some 4,400 firms rely on Safe Harbour to operate abroad) will be required to build data centres in the EU in order to maintain a presence there. For larger businesses like Facebook and Amazon this is unlikely to be a problem, in fact many of them already have European datacentres in place. Smaller firms may find it much harder to follow suit.
Another option is for US corporations to adhere to stricter data legislation standards, the likes of which may make it harder for government agencies or other external bodies to gain access to user data. The problem with this approach is that it is only really worth pursuing if it implemented in both the US and Europe – after all, it wasn’t just the NSA that was found to be engaging in mass surveillance. It remains to be seen whether the European Court of Justice is as critical of GCHQ when it comes to protecting data belonging to EU citizens.
Read more: Why there’s no such thing as safe harbour
The decision over what will replace Safe Harbour is due next year and businesses in the US and Europe will be hoping that it comes sooner rather than later. In the meantime, it’s promising at least that privacy protection is once again receiving serious debate, some two years after Snowden made those fateful revelations.