How an Austrian Student Gave 4,500 US Companies a Privacy Headache
As reported by the Wall Street Journal, the European Union’s highest court struck down an agreement used by thousands of US companies to transfer the personal information of European citizens to the US.
The 15-year-old agreement is called the “Safe Harbor” pact and it’s used by about 4,500 US companies, including Google, Apple, Amazon, and Facebook.
Penny Pritzker, the US commerce secretary, said the decision “puts at risk the thriving trans-Atlantic digital economy.”
According to a US government website, the pact was made in response to the European Commission’s Directive on Data Protection, which went into effect in 1998.
The Directive prohibited the transfer of personal data to non-EU countries that didn’t measure up to EU standards for protecting privacy.
The problem was, the US didn’t take the same approach to privacy that the EU did. So the directive could have seriously hampered US businesses in serving EU customers and users.
The pact allowed US companies to self-certify that they provided adequate privacy protections for EU citizens, and to register on a list of Safe Harbor organizations. This let US companies store information about EU residents – such as social media profiles or pay rates for overseas employees of US companies – on US-based computers.
The European Court of Justice ruled that national regulators can override the Safe Harbor pact because it violates the privacy rights of EU citizens by exposing them to surveillance by the US government.
The US companies that signed up for the Safe Harbor program now have to figure out how to deal with EU customer data without getting sued, fined, suspended from doing business, or otherwise hassled by European regulators.
US and European negotiators are working to come up with a new-and-improved agreement, but it’s not clear when it will be ready.
Some large companies have backup plans – for example, they have EU-based data centers and make sure that EU customer data stays there. But many smaller companies have no clue what to do now. Setting up EU-based data centers could “double operations costs,” according to an expert quoted by the Journal. On the other hand, giving up EU business would also be a huge hit to the bottom line.
Companies can continue to comply with EU privacy laws by using model contracts approved by the EU.
Companies can also apply to each EU country’s privacy regulators – an expensive and lengthy process.
The New York Times reported that the challenge to the pact was launched by Max Schrems, a now-28-year-old graduate student in law at the University of Vienna.
When he was 24 and studying at the Santa Clara University School of Law in California, Silicon Valley privacy lawyers came and spoke to his privacy law class, saying that they didn’t take Europe’s privacy laws seriously since US companies were rarely punished for breaking them.
Schrems needed a topic for a class paper, so he decided to look into how Facebook dealt with EU data protection laws.
He requested his own information from Facebook, and discovered the company had 1,200 pages’ worth – including the text of a private chat with a friend who was hospitalized with psychological problems.
Schrems then filed 22 complaints with the Irish Data Protection Commissioner, which regulates Facebook because the company’s European operations are run from Ireland.
According to the Times,
Like many young, well-educated Europeans, Mr. Schrems likes the United States, but he objects to the tendency of Silicon Valley companies to beg forgiveness rather than ask permission. “The approach of the big companies is saying we’re above the law,” he said.