What are the implications of yesterday’s ruling by the European Court of Justice in the Max Schrems case?
Who is likely to be affected by the sweeping decision, which effectively rules invalid the long-standing Safe Harbour principles? These rules govern how European data are handled when sent to the US, and provide an easy – too easy – way for US businesses to self-certify that they handle data correctly.
The critical piece of this ruling – one being overlooked by many business and legal commentators – is the finding that it is nigh-on impossible for the US to ensure EU data are handled in accordance with rights guaranteed to EU citizens.
As the court noted, US security laws give public authorities, such as law enforcement and security agencies, access to all data held in the US. Surveillance activities, secretive courts and gag orders mean companies cannot disclose orders to hand over data, and may be unaware that that data has been gathered at all.
This contravenes European data laws that require data be held only for limited periods, and that citizens be given forms of redress to remove or correct information or challenge unlawful surveillance. In this broad context, Safe Harbour cannot be deemed adequate protection. Nor can so-called “model clauses” – legal agreements an individual company might draw up on how data are to be protected – that some are suggesting are a solution. Model clauses cannot address the core issue of US national security laws, so they cannot simply replace Safe Harbour.
Privacy safeguards
It is impossible to imagine how any new agreement could meet the concerns in the ECJ’s ruling.
The US is unlikely to change its security laws, no matter how controversial they may be. And the US is not going to allow EU data to be handled with more safeguards and privacy provisions than that of its own citizens.
The only realistic resolution is that all EU citizen data must now be kept within Europe, and be neither processed nor stored in the US. The natural assumption might be that it is the Facebooks and Googles of the world that will bear the brunt of this ruling. But that is not the case. The big multinationals, including Facebook, already have the capacity to manage European data within Europe. For them, the ruling is primarily a cost and technology headache.
Harder hit will be smaller companies, less likely to have the inhouse ability to manage data with greater sophistication. Outsourcing management to a third party might be one option.
Consumers and business customers, on the other hand, are unlikely to notice anything has changed. The EU is a larger market than the US, and a leading growth market for many companies. Multinationals are not going to withdraw services or products over an addressable data-management issue.
Multinational gaze
But do expect a boom for European data centres. Already many multinationals, with one eye on ongoing EU regulatory shifts, have them.
However, the US government is arguing, in a pending case against Microsoft over email in its Irish data centre, that it has a right to access data held by American companies wherever they are located. A finding against Microsoft would mean a multinational’s data centre in Europe can’t give adequate data protection. In that case, multinationals will probably respond by creating a legally separate company to run the data centre and European services.
But the Microsoft case is likely to be appealed all the way to the Supreme Court – which again gives time for companies to develop compliance solutions. Not least as the mechanism for a person who feels his or her data have been mishandled is the clumsy and slow route of – as the ECJ indicated – a complaint to a national data protection commissioner and investigation.
Internet commerce and business won’t come to a sudden halt as a result of this ruling. But the EU/US business landscape has just changed dramatically. And, businesses must now be mindful of data protection and privacy in a way that will benefit all European citizens.