European court finds in favor of Max Schrems, student who asked EU’s data protection commissioner to bar Facebook from transmitting his data to the US

Private industry was in a rage while privacy groups were elated on Tuesday over a new ruling by the European Court of Justice (ECJ) affirming European citizens’ right to privacy from American tech companies.

On Tuesday, the European court ruled in favor of Max Schrems, an Austrian graduate student who asked that EU’s data protection commissioner bar Facebook from transmitting his personal data to the US on the grounds that many tech firms had cooperated with the National Security Agency.

Transmission of personal data had previously been covered by a “safe harbor” agreement between Europe and the US that allowed tech firms to share the data with explicit consent from their customers. Businesses that operate in Europe must now make sure they are compliant with the EU’s own laws before they subject their customers’ personal information to laxer restrictions in the US, the court said.

The advertising industry was not pleased. “Today’s decision by the European Court of Justice jeopardizes thousands of businesses across the Atlantic,” said Mike Zaneis, executive vice-president of public policy and general counsel for the Interactive Advertising Bureau, who called the overturned provision “an efficient means to comply with EU privacy law”.

“The weakening of the Safe Harbor agreement limits European consumers’ access to valuable digital services and impedes trade and innovation,” said Zaneis. “We urge the US and EU to agree on new rules for the transatlantic transfer of data, taking into account the CJEU’s judgment.”

Evan Greer, campaign director for internet activist group Fight for the Future, said: “The ECJ has confirmed what the vast majority of internet users already know: large US-based tech companies have been deeply complicit in mass government surveillance, and have traded their users’ most basic rights for a cozy relationship with the US government. While the discussion around NSA spying has far too often focused only on the rights of US citizens, the ECJ ruling is a reminder that freedom from indiscriminate surveillance is a basic human right that should be protected for everyone, regardless of where they live.”

Tech giants such as Facebook, Apple and Google have long planned for a loss and are likely to fall back on their own user agreements to allow them to transmit data overseas or use their own legal status within Europe to circumnavigate the ruling.

“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor.

“It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” said a Facebook spokesperson.

The judgement is likely to be “good news for lawyers” for years to come, said one tech executive, and likely to disproportionately hit smaller tech companies.

James Kinsella, a former Microsoft exec who runs European privacy law compliance company Zettabox, said flatly that the new regulation would not stifle trade. “It will require that companies doing business in Europe understand where they are putting their customers’ data. To say it will stifle is like saying, ‘requiring seatbelts in cars stifled car sales.’ No, it didn’t. It made cars safe; it made auto travel a more reliable form of transportation. It made the car an even more desirable and dependable form of transportation. So, too, with cloud services. At the moment, companies are putting their ‘passengers/customers’ data in the back seat without a seat belt.”

Kinsella also saw at least one area of industry that would benefit immediately from the ruling: European cloud storage. “It will help boost the cloud services business here, in Europe, which will be a good thing for everyone, because it will generate more competition and require that all providers consider new rules (like the GDPR) that will make ALL data safer for everyone.”