By Brooks Lindsay

The European Court of Justice ruled on October 6 to scuttle a 15-year data-transfer pact with the United States. This pact provided a “safe harbor” to over 4,000 transatlantic U.S. companies that claimed to satisfy “adequate” data-protection standards under European law. The “safe harbor” principles allowed U.S. companies operating in Europe, like Facebook and Google, to gather the private information of European citizens and transfer that data to U.S.-based servers, so long as those companies self-certified that they complied with the E.U.’s “adequacy” standards for privacy protection. The European court decided that these principles violated Europeans’ rights to privacy because they allowed American government authorities to gain easy access to Europeans’ online information through U.S.-located databases.

The Court’s ruling is in many ways a reaction to revelations over the past few years of U.S. government mass-surveillance programs, highlighted most poignantly by Edward Snowden’s leak in 2013. The Court’s ruling is based in large part on the premise that the U.S. government and U.S. companies can no longer credibly certify that they are protecting Europeans’ privacy and meeting Europe’s baseline data-protection standards.The ruling means that many U.S. companies may no longer have unimpeded safe-harbor rights to gather the data of European citizens and transfer it to U.S.-based servers. Instead, big data companies like Amazon and Microsoft will be subject to the data-protection laws of 28 different European nations. And, unfortunately, European countries have “widely varying stances toward privacy.” This has put the international operations of U.S. technology companies in a kind of limbo with respect to their existing data-collection programs and how different European states will treat them. “This is a big deal, because it directly affects all the large American Internet companies,” wrote Bruce Schneier, an internationally renowned security technologist.

It should be noted, however, that the ruling does not necessarily kill the U.S.’ Safe Harbor principles; it just means that local governments in each country must consider individual cases and that the E.U. will not provide a blanket allowance to transfer data to the U.S. simply because a company has self-certified itself under the Safe Harbor regime.

The court’s ruling creates the following consequences for U.S.-based big-data companies with users in the E.U.: (1) The ruling opens the companies up to privacy lawsuits if they are processing E.U. data on U.S. shores; (2) these companies may be forced to adopt stronger encryption methods, consistent with the standards of individual E.U. countries; and (3) they may need to reconstruct their European data-processing operations, including creating regional data-processing centers (costing both time and money). Law firms may stand to benefit as large tech companies fork out money for their advice. But all of this could be avoided (for better or worse, depending on your profession) if the European Commission and U.S. government come up with a new Safe Harbor agreement; which is something both governments have been working on for over a year now.

This ruling is a true milestone in the world of data privacy. What is clear is that different countries have different cultural norms and sensitivities with regard to access to personal information; a reality that is now being expressed in legal terms and that may prove costly to U.S.-based big-data companies that had become accustomed to the simplicity and continuity of the Safe Harbor regime.

Image source: gsgtelco.com.