How an Austrian Student Gave 4,500 US Companies a Privacy Headache

Get Legal Help Today

 Secured with SHA-256 Encryption

Jeffrey Johnson is a legal writer with a focus on personal injury. He has worked on personal injury and sovereign immunity litigation in addition to experience in family, estate, and criminal law. He earned a J.D. from the University of Baltimore and has worked in legal offices and non-profits in Maryland, Texas, and North Carolina. He has also earned an MFA in screenwriting from Chapman Univer...

Full Bio →

Written by

UPDATED: Oct 19, 2015

Advertiser Disclosure

It’s all about you. We want to help you make the right legal decisions.

We strive to help you make confident insurance and legal decisions. Finding trusted and reliable insurance quotes and legal advice should be easy. This doesn’t influence our content. Our opinions are our own.

Editorial Guidelines: We are a free online resource for anyone interested in learning more about legal topics and insurance. Our goal is to be an objective, third-party resource for everything legal and insurance related. We update our site regularly, and all content is reviewed by experts.

Falling Dominos Hit PadlockAs reported by the Wall Street Journal, the European Union’s highest court struck down an agreement used by thousands of US companies to transfer the personal information of European citizens to the US.

The 15-year-old agreement is called the “Safe Harbor” pact and it’s used by about 4,500 US companies, including Google, Apple, Amazon, and Facebook.

Penny Pritzker, the US commerce secretary, said the decision “puts at risk the thriving trans-Atlantic digital economy.”

Safe Harbor

According to a US government website, the pact was made in response to the European Commission’s Directive on Data Protection, which went into effect in 1998.

The Directive prohibited the transfer of personal data to non-EU countries that didn’t measure up to EU standards for protecting privacy.

The problem was, the US didn’t take the same approach to privacy that the EU did. So the directive could have seriously hampered US businesses in serving EU customers and users.

The pact allowed US companies to self-certify that they provided adequate privacy protections for EU citizens, and to register on a list of Safe Harbor organizations. This let US companies store information about EU residents – such as social media profiles or pay rates for overseas employees of US companies – on US-based computers.

The European Court of Justice ruled that national regulators can override the Safe Harbor pact because it violates the privacy rights of EU citizens by exposing them to surveillance by the US government.

The US companies that signed up for the Safe Harbor program now have to figure out how to deal with EU customer data without getting sued, fined, suspended from doing business, or otherwise hassled by European regulators.

US and European negotiators are working to come up with a new-and-improved agreement, but it’s not clear when it will be ready.

Some large companies have backup plans – for example, they have EU-based data centers and make sure that EU customer data stays there. But many smaller companies have no clue what to do now. Setting up EU-based data centers could “double operations costs,” according to an expert quoted by the Journal. On the other hand, giving up EU business would also be a huge hit to the bottom line.

Get Legal Help Today

Find the right lawyer for your legal issue.

 Secured with SHA-256 Encryption

Model Contracts

Companies can continue to comply with EU privacy laws by using model contracts approved by the EU.

Companies can also apply to each EU country’s privacy regulators – an expensive and lengthy process.

Class Project

The New York Times reported that the challenge to the pact was launched by Max Schrems, a now-28-year-old graduate student in law at the University of Vienna.

When he was 24 and studying at the Santa Clara University School of Law in California, Silicon Valley privacy lawyers came and spoke to his privacy law class, saying that they didn’t take Europe’s privacy laws seriously since US companies were rarely punished for breaking them.

Schrems needed a topic for a class paper, so he decided to look into how Facebook dealt with EU data protection laws.

He requested his own information from Facebook, and discovered the company had 1,200 pages’ worth – including the text of a private chat with a friend who was hospitalized with psychological problems.

Schrems then filed 22 complaints with the Irish Data Protection Commissioner, which regulates Facebook because the company’s European operations are run from Ireland.

According to the Times,

Like many young, well-educated Europeans, Mr. Schrems likes the United States, but he objects to the tendency of Silicon Valley companies to beg forgiveness rather than ask permission. “The approach of the big companies is saying we’re above the law,” he said. 

Get Legal Help Today

Find the right lawyer for your legal issue.

 Secured with SHA-256 Encryption