Our mission to help you navigate the new normal is fueled by subscribers. To enjoy unlimited access to our journalism, subscribe today.
Europe’s highest court just ushered in a nightmare for thousands of American companies, big and small.
Some companies now find themselves immediately unable to legally serve users in the EU. And many Big Tech titans, starting with Facebook, could soon be in the same boat.
It’s all thanks to U.S. surveillance laws, which do not give Europeans a chance to control the collection of their data by American intelligence agencies.
On Thursday morning, the Court of Justice of the European Union (CJEU) struck down a 2016 data-sharing deal between the U.S. and EU, because it could not guarantee the data-protection rights of Europeans when their data goes across the Atlantic, as happens whenever they, for example, use a popular site like Facebook or Google.
The Privacy Shield deal gave American companies a relatively hassle-free way to serve EU users. Under EU law, Europeans’ personal data is only supposed to go to outside countries that have similar data protection rules to those in the EU. The U.S. lacks a strong federal privacy law and therefore doesn’t qualify—so the U.S. and EU agreed on the Privacy Shield register as a way for U.S. companies to say that they adhere to EU-grade privacy rules, even if U.S. law does not.
More than 5,000 companies had signed up for Privacy Shield, and now, with today’s ruling, it’s gone. (Confusingly, though, the U.S. Department of Commerce says it will continue to administer the program, even though it is no longer recognized by the European side.)
The now-stricken deal was itself the replacement for a very similar arrangement, Safe Harbor, that the CJEU also struck down almost five years ago, in what is essentially the same long-running case.
Anti-Facebook crusade
The man behind that case is an Austrian lawyer and activist named Max Schrems, who has been using Facebook since 2008 and is on a crusade to protect the data he gives the company. To do this, he’s had to get the privacy regulator in Ireland—where Facebook has its international headquarters—to deal with his complaint.
Schrems’s first trip to the Luxembourg-based CJEU was the result of the Irish watchdog telling him to get lost, because Facebook had signed on to the Safe Harbor register. In 2016, the court not only said the Irish Data Protection Commission (DPC) did have to investigate Schrems’s complaint—which was sparked by the surveillance revelations of NSA whistleblower Edward Snowden—but it unexpectedly struck down Safe Harbor with immediate effect, because the deal did not actually protect Europeans’ rights as it claimed to do.
This is largely because of programs such as the now-expired PRISM, which allowed agencies such as the FBI to look at foreign users’ messaging data on platforms such as Google and Facebook.
As the U.S. and EU scrambled to come up with a replacement for Safe Harbor, Schrems went back to the Irish DPC. By this point, Facebook was taking no chances, and was relying on a separate legal mechanism to keep its data transfers legal—so-called standard contractual clauses or SCCs, which are a relatively expensive and time-consuming alternative to Safe Harbor.
The terms of SCCs allow a European regulator to suspend data transfers out of the EU if the destination country doesn’t adequately protect that data. But rather than taking this route, the Irish DPC decided to challenge the existence of SCCs as a whole—it essentially sued both Schrems and his nemesis, Facebook.
And that’s how the case ended up back at the CJEU.
‘100% win’
Schrems got exactly what he wanted from the court. Privacy Shield is immediately canceled, but standard contractual clauses are not.
On Thursday morning, the court said SCCs remain valid precisely because they allow a data protection authority to suspend data flows, if the company using the SCCs either breaches its terms or if it is “impossible to honor them” because of the laws in the country to which the data is flowing.
Given that the court slammed U.S. privacy and surveillance laws when striking down Privacy Shield—it said there still weren’t enough limits on U.S. intelligence agencies’ access to Big Tech’s user data, and that Europeans didn’t have a meaningful way to complain about that access—it follows that any company relying on SCCs for their EU-to-U.S. transfers is potentially in trouble.
Without SCCs, a company like Facebook may have to set up functionally separate operations in Europe in order to keep operating there.
“Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield, and we look forward to regulatory guidance in this regard,” Facebook associate counsel Eva Nagle said in a statement. “We will ensure that our advertisers, customers, and partners can continue to enjoy Facebook services while keeping their data safe and secure.”
The Irish Data Protection Commission had yet to respond to the ruling at the time of writing.
In Schrems’s words on Thursday, the court is “telling the Irish DPC to do its job after seven years of inaction” and stop Facebook from sending European users’ data back to the U.S. “The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice,” he said.
“It is clear that the U.S. will have to seriously change their surveillance laws, if U.S. companies want to continue to play a major role on the EU market.”
However, the effects of Thursday’s decision could have ramifications for companies in other countries, too.
Peter Swire, a senior counsel at law firm Alston & Bird and a former U.S. negotiator on data privacy with the EU, reckons the ruling “appears to put global trade at risk” where countries such as China and Russia are concerned.
“China has far fewer surveillance limitations than U.S. law,” Swire—whom Facebook called as an independent witness in this case—said. “If the data protection authorities make individual findings about difficulties in sending data to the United States, then they seem obligated under the court’s decision to similarly block transfers to most other countries in the world.”
After the Brexit transition period runs out at the end of 2020, the U.K. could find itself being one of those countries.
One peculiarity of the situation is that the EU cannot block data transfers between its own member states, whatever surveillance laws those countries have. But it can block data transfers to outside countries. After this year, the U.K. will be an outside country, and many argue that its surveillance activities will create problems.
Need for reform
Microsoft finds itself in a situation similar to Facebook’s, even though it had nothing to do with this case. Microsoft, like Facebook, has been using SCCs and Privacy Shield to shore up the legality of its EU-U.S. data transfers.
“We want to be clear: If you are a commercial customer, you can continue to use Microsoft services in compliance with European law,” wrote Microsoft chief privacy officer Julie Brill in a blog post. “The court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”
The key word in that post is “today”: Microsoft’s SCCs remain valid, but if Facebook’s SCCs fall, then Microsoft’s could soon follow.
That is, unless the U.S. changes its ways.
“U.S. surveillance violates fundamental privacy rights and continues to be a massive financial liability for U.S. companies trying to compete in a global market,” said Ashley Gorski, a senior attorney with the American Civil Liberties Union (ACLU), which testified in the case.
“Unless Congress swiftly acts to enact comprehensive surveillance reforms,” she said. “U.S. businesses will continue to pay the consequences.”
“Our customers can be assured that we are committed to ensuring their data will continue to flow through our services, that we’ll continue our work to provide greater protections based on the issues raised in today’s ruling, and that we’ll work collaboratively with governments and policymakers as they shape new approaches,” Microsoft’s Brill wrote.
U.S. Commerce Secretary Wilbur Ross said in a statement that the U.S. government is studying the ruling to “fully understand its practical impacts.”
Said Ross: “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”
This article was updated to include Facebook’s comment.
More must-read international coverage from Fortune:
- Corporate Germany has a race problem—and a lack of data is not helping
- The downfall of Wirecard is stirring an epic shareholder revolt in Germany
- “A real bind”: Banks that carry out Trump’s new sanctions could violate Hong Kong security law
- Russia’s online censorship machine is no longer running smoothly
- Wirecard shows auditing is broken. Here’s why—and how to fix it
