SurveillanceRuling shows Europe still vexed over NSA spying, leaving U.S. companies in legal limbo

By Caren Morrison

Published 23 October 2015

For over fifteen years, the Data Transfer Pact between the European Union and the United States, more commonly known as Safe Harbor, had ensured that companies with EU operations could transfer online data about their employees and customers back to the United States despite stark differences between U.S. and European privacy law. Earlier this month, U.S. companies operating in Europe got some unwelcome news: Safe Harbor had been ruled invalid. The European court’s ruling has serious implications for these companies’ business models and profitability, leaving many scrambling to find solutions. But it also exposes a fundamental cultural rift between the U.S. and Europe’s conceptions of privacy – one that a new agreement won’t be able to paper over.

Earlier this month, U.S. companies operating in Europe got some unwelcome news: the Data Transfer Pact between the European Union and the United States, more commonly known as “Safe Harbor,” had been ruled invalid.

For over fifteen years, Safe Harbor had ensured that companies with EU operations could transfer online data about their employees and customers back to the United States despite stark differences between U.S. and European privacy law.

With the exponential growth of the digital economy, “cross-border transfers of data have become critical to the core operations of both large and small enterprises,” according to the Software Alliance, a trade group whose members include Intel, Intuit and IBM (and that’s just the “I’s”). “Companies need to share product designs, marketing plans, customer records, inventory data and other essential information between offices and among business partners in order to effectively manage their operations,” according to one of its reports.

The free flow of information enables companies to do everything from centralizing payroll and human resources information at the mother ship in the US to amassing the web search histories, social media updates and online purchases that fuel online advertising, a business expected to be worth US$80 billion worldwide by 2018.

The European court’s ruling has serious implications for these companies’ business models and profitability, leaving many scrambling to find solutions. But it also exposes a fundamental cultural rift between the U.S. and Europe’s conceptions of privacy – one that a new agreement won’t be able to paper over.

European Court of Justice steps in
Over 4,000 US companies joined Safe Harbor, which required only that a company certify that personal data, once transferred, would enjoy the same level of protection in the United States as it did in Europe.

Sadly, that proved not to be the case. In 2013, when Edward Snowden revealed that the National Security Agency was collecting the content of millions of online communications through its Prism program, Europeans realized that the “just trust us” system of self-certification by US companies like Facebook was not protecting the data of European customers from NSA surveillance.

The European Court of Justice did not “like” this one bit.

Max Schrems, an Austrian law student, had been challenging Facebook’s privacy practices for several years. Snowden’s leaks prompted him to file another complaint, saying that Facebook couldn’t legally transfer his online data to the United States because Safe Harbor wasn’t ensuring its protection.