The European Court of Justice (ECJ) in the case of Maximillian Schrems v Data Protection Commissioner has ruled that the current principle of Safe Harbour for the personal data of Europeans is invalid because adequate safeguards are not in place in the US.
Max Schrems a privacy activist brought the case against the Irish data protection body, the Date Protection Commissioner regarding data held and transferred by Facebook from their Irish subsidiary to the US. Mr Schrems successfully argued that after the Edward Snowden revelations regarding the National Security Agency (NSA) and other agencies there is inadequate protection of European personal data that ends up in the US.
The US/European “Safe Harbour” agreement relating to the transfer of personal data from Europe to the US has always been a rubber-stamp exercise for US tech firms.
The usual suspects
Safe Harbour has allowed US tech firms – Google, Facebook and others to state they care about privacy and have privacy protections in place. But this has always been conveniently self-certified. A bit like Libor where banks agreed rates and all was done on an honesty, self-regulating basis – basically a cosy lie.
The reality is that providers of large-scale free websites make their money from selling data to advertisers or renting access to that data to advertisers via their ad platforms. Facebook would not exist without industrial-scale data mining and retention used to sell ad space. However, the problem is made worse because that same data “could” be accessed and used by US intelligence services – though there is no real proof that it has been.
Mr Schrems was asking for the Irish regulator to find out what (if any) information was passed by Facebook to the US intelligence services. The Irish regulator relied on the Safe Harbour principle and stated this was sufficient – the ECJ disagreed.
There is history here
This decision can also been seen as a clash of cultures. Many in the now united Germany had experience of state surveillance under the Stasi and other parts of Europe have only really been free of mass state surveillance for a handful of decades. Though many would argue that mass surveillance is making a pretty good comeback via the Internet and mobile devices in particular – compulsory ID cards seem quite quaint and benign now.
The stakes are high
It is one thing for Facebook to use and sell your data in return for a nice “free” service – the only downside being some rubbish ads that most people ignore. But it is completely different if that same data is obtained and mined by US intelligence – basically the wholesale surveillance of European citizens by a foreign power. The NSA has a hard job doing that to US citizens – it should not have an easier time doing it to Europeans.
Time to go European
We can’t help thinking a lot of these ongoing problems experienced by US tech giants are because they have not really gone local. Facebook, Google and others may have offices here (very nice ones) but for tax purposes they are effectively living elsewhere and for data protection purposes it is the same – they are here to collect, but not to stay.
One day an executive at one of these companies will have the brains and foresight to realise they should become fully-fledged European corporate citizens – pay taxes and observe both the letter & spirit of European law – and watch their growing list of Euro-woe problems disappear as a result.