Europe's top court rejects 'Safe Harbor' ruling

Elizabeth Weise | USA TODAY

Show Caption Hide Caption Trouble for Apple, Facebook, Google with new European ruling USA TODAY's Shannon Rae Green interviews tech reporter Elizabeth Weise about the ruling that makes a 15-year-old agreement, (allowing for transfer of Europeans' data back to the U.S.) invalid.

WASHINGTON — Europe's top court on Tuesday ruled that a 15-year-old agreement allowing American companies to handle Europeans' data was invalid, a decision that could affect how technology companies such as Amazon, Facebook and Google operate overseas.

The European Court of Justice examined the case of an Austrian citizen who claimed that his data, in light of revelations by Edward Snowden that U.S. agencies spied upon people in other nations, wasn't being adequately protected by Facebook.

No appeal is possible as the European Court of Justice is the equivalent of the U.S. Supreme Court.

The ruling comes as European leaders and Washington are negotiating a new agreement on data transfers across the Atlantic. It also raises questions about how major U.S. tech firms can continue to operate in Europe without breaking the law.

The ruling immediately invalidates the Safe Harbor agreement, said Scott Vernick, head of the data security and privacy practice at the law firm of Fox Rothschild.

Under so-called Safe Harbor rules, U.S. firms are allowed to transfer personal data of European citizens back to the U.S.. They only have to follow one set of rules on how data they store and collect within the European Union is protected.

The rules governed what companies can do with information they gather when users post on social media, search the web, buy items online and other activities. Companies use this information to direct ads and promote products.

Without the Safe Harbor rules, in place since 2000, each country in the European Union could potentially set is own privacy rules and regulations, creating enormous barriers to U.S. firms doing business there.

The ruling could "unintentionally tilt the global privacy and data protection landscape to make the EU the global center of gravity," said Jim Koenig of Paul Hastings, a Washington, D.C.-based law firm.

It could also force U.S.-based businesses to make expensive infrastructure investments and build European data centers to process data previously transferred to the U.S., said Fox Rothschild's Vernick.

Larger U.S. tech companies have set up procedures to transfer data beyond the Safe Harbor framework. Microsoft told its enterprise cloud customers on Tuesday that it believes they can continue to transfer data by relying on additional steps and legal safeguards it put in place when it realized the court ruling was a possibility.

Laws in the European Union view personal data privacy as a fundamental right. U.S. laws consider it more an issue of consumer protection.

To bridge that gap, the Safe Harbor agreement was created. It provides U.S. companies with a single legal framework for sharing information with European firms, giving them legal protection to do business.

Some of the requirements of the agreement include that organizations that collect and use information about individuals explain why the information is collected, give the individuals' the choice to opt out of having their personal information disclosed to a third party, be able to correct or delete inaccurate information, and take reasonable precautions to protect the information from loss or unauthorized access.

Today, more than 3,000 businesses in the U.S. and the EU depend on the agreement to avoid running afoul of European privacy laws, according to the Information Technology and Innovation Foundation.

That could change because of the lawsuit brought last year against Facebook by Austrian law student and privacy advocate Max Schrems.

He argued that spying on Europeans by the National Security Agency, as disclosed by Snowden, meant his data privacy rights were not being adequately protected.

Schrems filed the case in Ireland, Facebook’s European headquarters. The Irish court rejected the suit and Schrems appealed to the European high court.

"This decision is a major blow for U.S. global surveillance that heavily relies on private partners. The judgement makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights," Schrems said in a statement posted on his Twitter account after Tuesday's ruling.

In a statement, Facebook said Europe's Advocate General had been very clear the issue was not Facebook per se, but the mechanisms that European law provides to enable essential transatlantic data flows.

The company said it was imperative that the EU and U.S. governments ensure that reliable methods for lawful data transfers are provided to companies.

In an opinion on Sept. 23, the European Court's Advocate General for the case, Yves Bot, had already declared the Safe Harbor agreement invalid.

Bot wrote that, "once personal data is transferred to the United States, the National Security Agency and other United States security agencies such as the Federal Bureau of Investigation are able to access it in the course of a mass and indiscriminate surveillance and interception of such data."

The U.S. Mission to the European Union issued a statement saying that "the United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens."

The PRISM surveillance program is "targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations," the statement said.