'Safe harbour' data ruling leaves U.S. companies in legal limbo - Action News
Home WebMail Saturday, November 23, 2024, 04:34 AM | Calgary | -12.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

'Safe harbour' data ruling leaves U.S. companies in legal limbo

A recent court ruling may boost the European Union's efforts to reassert authority over how its citizens' data is being treated and pressure other countries into creating privacy laws that are considered more equitable across borders.

EU court finds firms don't offer enough protection for Europeans' data

The European Union's highest court found that the U.S.-EU Safe Harbour deal doesn't protect Europeans' fundamental rights. (Getty Images)

A recent court ruling may boost the European Union's efforts to reassert authority over how its citizens' data is being treated and pressure other countries into creating privacy laws that are consideredmore equitable across borders.

U.S.-basedinternetcompanieslikeFacebook,Amazon andGoogleare now likely scrambling to determine if they need to change their European operations afterajudge in the European Union's highest courtruled Tuesday that the agreement allowing them to transfer data to the United States violates Europeans' rights.

"This is definitely difficult for companies to deal with and it's not a problem of their making either. It's the governments' laws," saysTamirIsrael, a staff lawyer at the University of Ottawa's Canadian Internet Policy and Public Interest Clinic.

The privacy of non-citizens is essentially in a black box right now.- TamirIsrael, lawyer

"ButI think that paradigm does need to change."

Many countries offer their citizens some level of protection to keep their online data gathered by giant internet companies somewhat free from government scrutiny. Often, those same protections don't apply to people outside that country's borders.

"The privacy of non-citizens is essentially in a black box right now," saysIsrael.

Countries can create laws to limit government surveillance of their citizens' data, but can't necessarily impose laws on how other countries treat their residents' online information, he says.

"It's this big kind of international black hole."

The safe-harbour deal

The recent legal battle started years ago, whenMaximillian Schrems, a law student in Europe and privacy advocate, complained Facebook wasn't protecting his data from U.S. authorities.

His complaint cameafter revelations from former NSA contractor Edward Snowdensuggested Europeans' personal data collected by internet companies and sent back to the U.S. may end up in the hands of government agencies.

Edward Snowden, a former NSA contractor, released internal NSA documents revealing a program called Prism. (Glenn Greenwald and Laura Poitras/Associated Press)
Snowdenreleased internal NSA documents that alleged a program called Prism gave the U.S. government backdoor access to data collected by companies like Facebook and Google.

The EU requirescompanies outside its borders to live up to itsstrict data privacy policy, which waspassed in the late 1990s.

In some countries, existing privacy laws were deemed adequate to ensure sufficient protection for Europeans' data, saysColinBennett, a political science professor at the University of Victoria.

Canada's privacy laws, contained in the Personal Information Protection and Electronic Documents Act (PIPEDA), were among these.

The U.S., on the other hand, doesn't have a comprehensive privacy law, he says. Sothe EU and the U.S. negotiatedthe U.S.-EU Safe Harbour deal to allow U.S. companies to send Europeans' personal data to the U.S.and other non-EU nations.

To do so, U.S. companies mustself-certify annually by proving their practices follow the EU's rules on data protection. They must adhere to the seven principles of notice, choice, onward transfer, access, security, data integrity and enforcement.

Facebook is certified, according to export.gov, which lists more than 5,000companiesthat currently or at some point have adhered to the deal's guidelines.Google, Amazon, Apple, Twitter and eBay are all also listed as compliant.

Deal tossed out

The Prism program allegations, however, suggested Facebook user data sent from Europe to the U.S. may be accessed by U.S. government officials,Schremsargued.

He first complained to the Irish data protection commissioner, who rejected his claim, pointing to the existence of the safe-harbour deal. The Irish authorities were the first point of contact as Facebook'sEuropean headquarters are in the country.

The complaint fromSchremswound its way through European courts, untiltheEU'shighest court, the Court of Justice of the European Union,ruled the Irish authority erred in not investigating. The Irish data protection commissioner will now have to fully investigate the complaint.

The court also found the safe-harbour agreementhad too many broad exemptions allowing U.S. authorities access to Europeans' data, Bennettsays.

"Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the court's judgement read.Europeans' fundamental rightsareoutlined in the EU Charter of Fundamental Rights.

In its finding, the court nullified the safe-harbour agreement.

Uncertain future

This creates a problem for companieslike Facebookthat need to move data from EU countries to their U.S. servers.

Bennett sees three possible solutions, with varying degrees of likelihood.

U.S.companies could house European data on servers on the continent, he says, but that would cause multiple logistical issues.

The U.S. Congress could pass a general privacy law that, like Canada's, the EU could deem adequate. There is a "really remote" chance of that happening, he says, considering the political battles within Congress.

Most likely, the EU and the U.S. will negotiate a new version of the safe-harbour deal that will be "a lot stronger" than the current version, Bennett says. Negotiations started taking place already in anticipation of Tuesday's judgement.

Butit's a problem that won't be solved overnight, says Israel, because any of the possible solutions takes time.

That leaves U.S. companies with European operations in a bit of legal limbo. It's possible the EU could impose fines or threaten jail time for companies it deems break its privacy laws, he says, but that's unlikely in the near future.

The EU is likely to wait for negotiations to end with the U.S.before starting to "rigidly" enforce these orders, he says.

It's "imperative" that the two governments "continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security," an unidentified Facebook spokesperson said in a statement.