Ever since Europe's highest court ruled the Safe Harbor agreement between the EU and the US invalid, much of the focus has been on the security of European citizens' data at US companies. But a recent case involving Google in the Netherlands raises questions about privacy protections on US data in Europe.
One day before the Safe Harbor ruling earlier this month, a Dutch court ordered Google to hand over personal data about a Google Play user to the BREIN Foundation, a Dutch non-profit organization that works to protect original creators' copyrights in the Netherlands.
BREIN argues the Google Play user had been selling unauthorized copies of Dutch-language e-books in such high volumes that the original content creators now deserve financial compensation for copyright infringement.
BREIN does not know if the Google Play user's data is stored in the US or the EU. To date, Google operates seven datacenters in the US and four in the EU.
Nor does BREIN know if the user lives in the EU or is a European citizen. The Dutch court, however, decided that ending copyright infringement outweighed the importance of the user's right to privacy.
Google already terminated the user's Google Play account in response to an earlier request from BREIN. Now that the company has received the court order, it is studying the court's decision.
"In general, as soon as we're made aware of illicit activity on any of our platforms, we take action - such as terminating the account in question," Mark Jansen, communications and public affairs manager for Google Benelux, told ZDNet in an email.
"What we do not do, however, is hand over user information without ensuring that due legal process is followed - for example a court order. This has been our policy for many years," Jansen said.
Among the data BREIN seeks to obtain from Google is the Google Play user's name; physical, email, and IP addresses; and bank account information. With this data, BREIN will facilitate a cease-and-desist plea and requitals from the user on behalf of a consortium of the books' publishers. These steps could lead to more legal proceedings if private negotiations fail.
While the BREIN Foundation says it respects the Google Play user's right to privacy, it believes that the entity behind the account should be considered a corporation. Corporations are usually registered at a local chamber of commerce, where business names and addresses are publically accessible.
Therefore, BREIN argues, privacy concerns should not prevent Google from making the user's information available to the foundation.
"Of course, everybody is entitled to their privacy. But with regards to a business, it is so that the consumer protection legislation requires companies to identify themselves," says Tim Kuik, managing director of the BREIN Foundation.
Referencing European privacy restrictions may become a tactic that tech companies can use to conceal their internal data. On the same day as the Safe Harbor ruling, Microsoft cited European privacy rules to resist handing a customer's data over to US authorities. The customer's data is stored in an Irish datacenter.
The European Commission instituted the Safe Harbor agreement in 2000 to facilitate moving digital information between the US and the EU with appropriate safeguards to protect European citizens' privacy. Without the agreement in place, the European Court of Justice ruled that each of the EU's 28 member states should individually regulate how companies collect and use online personal data.
The ruling may impact US tech companies, like Google, the most because they rely on their global network of datacenters to manage their global consumer bases. Notably, personal search data is commonly used to develop targeted online advertising. To access digital data that is stored in the EU, American companies will now need to comply with Europe's stringent privacy rules through other legal frameworks.
The BREIN Foundation usually settles copyright infringement claims through private dialogues. But since Google generally requires a court order to proceed with a user data request, BREIN says it had to seek legal action.
"When you inflict damage on another, then that other person has an interest in knowing who you are," says Kuik. "Intellectual property rights. That's a basic right as well."
Read more about Safe Harbor