Amid spying claims, court eyes suspending EU privacy pact

Suspending the privacy rules that govern European data in the US would be "uncharted territory," with many US services facing possible disruption.
Written by Zack Whittaker, Contributor
The European Court of Justice, where the data pact hearing will be held Tuesday.
(Image: EC/file photo)

NEW YORK -- A crucial judgment scheduled for Tuesday could find a vital transatlantic data transfer agreement between Europe and the US unlawful, effectively freezing data on the European continent and leaving millions of citizens digitally stranded.

The decision to revoke the so-called Safe Harbor agreement, which is used by thousands of companies including Silicon Valley tech giants, will be determined by the European Court of Justice, the top court in the 28 member states. The court will decide if the agreement did enough to protect European citizens' private data when it reached the US, particularly in the wake of the National Security Agency leaks detailing mass global surveillance.

Safe Harbor, signed into force at the turn of the century, is vital for companies like Facebook, Google, and Microsoft -- among thousands of other firms -- to operate.

The framework was set up to allow companies to easily transfer personal data to the US without the burden of seeking prior approval each time, particularly at a time when data-intensive internet services became more popular.

When US companies operating in Europe sign up to Safe Harbor and transfer data to the US, they promise to protect personal data as though the data is still in Europe, where data protection and privacy laws are stronger.

Data disruption?

Things changed in the wake of the Edward Snowden leaks about government spying. Privacy campaigners said the agreement was effectively useless.

Companies like Facebook were charged with allegedly participating in the US government's PRISM surveillance program -- named at the center of the court case. Much of the data that was handed to the US government on European citizens is said to be through the Safe Harbor program.

Facebook founder Mark Zuckerberg strenuously denied any knowledge of, or participation in the program.

The court's decision on Tuesday will follow hot on the heels of an opinion by EU advocate general Yves Bot, whose decisions are not legally binding but are almost always followed by a later formal ruling by the court's judges.

"The Safe Harbor scheme... does not contain any appropriate guarantees for preventing mass and generalized access to the transferred data," said Bot in his September 23 opinion.

The US Mission to the EU was quick to criticize Bot's opinion in a statement, calling out "inaccurate assertions," particularly about the US' intelligence practices.

Bot's opinion followed comments made by a European Commission official, who earlier this year confirmed that the privacy rules do not adequately protect EU citizens' data.

"You might consider closing your Facebook account, if you have one," said the official during the case's opening remarks in March.

'Uncharted territory'

Exactly what happens on Tuesday following the court's ruling -- either way -- could have a potentially devastating effect on how US companies, particularly technology firms, provide services to their customers.

Experts are not expecting Facebook, Microsoft, and Google -- to name just a few -- to suddenly shut down or cease working in Europe. As the AFP news agency reports, larger companies like Facebook "generally have separate legal contracts drawn up on their data protection laws that permit them to carry on operating in the event that agreements like Safe Harbor break down."

But there are concerns over the possible and likely ramifications in the case that the agreement is declared invalid in the near term, and what comes next.

Facebook, Microsoft, and Google did not respond to a request for comment. John Higgins, director general of DigitalEurope, whose trade group represents Apple, Google, Microsoft and others, told the Reuters news agency said he was "concerned" about potential disruption to international data flows.

A senior spokesperson for the European Commission, the executive body for the 28-member state bloc, said Friday it "will not and cannot pre-judge the outcome of the case."

But in reality, nobody is quite sure exactly what will happen if the agreement is proven unlawful, or how problematic it might be.

Sophie in 't Veld, a Dutch member of the European Parliament, said a move to declare Safe Harbor effectively unlawful would be "uncharted territory."

"If indeed Safe Harbor is declared invalid, companies will be in breach of EU law when they are in transferring data," she said on the phone. "Some sort of arrangement will have to put in place very quickly, and it really makes you wonder as we have done over the years why the Commission hasn't acted sooner."

In 't Veld, who reportedly last year called for the suspension of the agreement, said she would find it "hard to imagine" the Commission would not immediately act on the ruling to prevent transatlantic data transfers from grinding to a halt.

Monika Kuschewsky, a Brussels-based lawyer at Covington & Burling, called the situation a "headache" for companies on both sides of the Atlantic.

"If [the court] realized what consequences it would have and in other cases where it has declared Commission instruments invalid, it's always taken into account the effect this would have on the stakeholders," she said.

Kuschewsky said it wasn't clear if the ruling will have an immediate effect on businesses, but warned it "could be months" before the dust settles.

Naturally the US Federal Trade Commission, which oversees the Safe Harbor program on its side of the pond, is concerned. According to Politico, suspending the program "will be taking away a privacy-protecting solution, and not addressing the underlying issue of government surveillance," said FTC Commissioner Julie Brill.

The court is scheduled to release its ruling early morning Tuesday.

Editorial standards