European Court of Justice: Looking for the Digital Utopia
In a textbook case of be-careful-what-you-wish-for, frustrated lobbyists plying their trade in Brussels on behalf of Google, Microsoft, and other Internet giants earlier this week suggested Europe could of course always build its own search engine since the US-based ones seems to cause such offence. The last time Europe set out to break US industrial hegemony, it succeeded beyond all expectations with Airbus effectively ending the near-monopoly on commercial aircraft manufacturing enjoyed by Boeing and McDonnell Douglas since the dawn of aviation. Underestimating the resourcefulness of the Old World does not usually pay off.
In a remarkably strong-worded verdict, the European Court of Justice on Tuesday struck down the “safe harbour” provision of the European Commission (EC) which essentially allowed Internet companies such as Google, Microsoft, Facebook, Amazon, and many others to store the private data of EU citizens on servers in the US. The court ordered national privacy watchdogs to investigate “with all due diligence” complaints by users concerned their information may be accessed without their knowledge or consent by US intelligence agencies.
“In a remarkably strong-worded verdict, the European Court of Justice on Tuesday struck down the “safe harbour” provision of the European Commission (EC) which essentially allowed Internet companies such as Google, Microsoft, Facebook, Amazon, and many others to store the private data of EU citizens on servers in the US.”
National supervisory entities had so far dismissed such complaints as either frivolous or vexatious considering the EC’s safe harbour decision a blanket authorisation for the storage of private data in the US. However, the court reasoned that since the national security and law enforcement of the US take precedence over the safe harbour provisions, the scheme fails to properly protect the fundamental rights to privacy of EU citizens and thus contravenes European law.
The court based its verdict on the European Commission’s own findings that US authorities are able to access and process the personal data of EU citizens in way that goes beyond what is strictly necessary and proportionate to the protection of national security. The court also chided the European Commission for failing to ensure US authorities comply with the safe harbour provisions and thus with the privacy guarantees enshrined in the EU Charter. The judges concluded that the European Commission took the assurances of US authorities at face value and did not monitor compliance.
Effective immediately, Internet companies must store all personal data of European citizens on servers that are physically located in a EU member state. In anticipation of the ruling, larger corporations already built new server farms in Europe that enable them to fully comply with the union’s strict data protection regulation.
In a curious twist of reality, US officials came out in force to condemn the court’s ruling and promise digital mayhem. Conveniently ignoring the unlawful wholesale snooping by his country’s intelligence community, US Commerce Secretary Penny Pritzker expressed “deep disappointment” at the verdict and warned that both private businesses and consumers will be inconvenienced. Meanwhile, White House Press Secretary Josh Earnest appeared most concerned about the economic consequences of the ruling.
Most industry reps noted that the ability to transfer vast amounts of data cheaply and quickly between Europe and North America constitutes the backbone of the digital economy. They lamented the extra layer of complexity, and the added expense, now introduced by the court. An estimated 4,400 companies used the safe harbour legal framework to shift vast amounts of data across the North Atlantic. These businesses now need to scramble their resources in order to keep the personal data of their EU clients and users out of reach of US intelligence agencies.
The corporate whining emanating from the United States has a rather hollow ring to it. Microsoft is currently seeking the protection of the courts against the US Department of Justice which in December 2013 obtained a warrant to gain access to private documents stored on a Microsoft server in Ireland. Microsoft lawyers argue that the DoJ’s reach does not extend to Ireland. However, the company already lost twice in lower courts and is now pleading its case before the Second Circuit Court of Appeals.
The vigour displayed by US authorities as they seek access – openly or covertly – to the world’s data, rather than the rulings coming out of Luxemburg, is now seen as the most serious impediment to the continued growth of Internet companies. Increasingly, large US companies are looking beyond low corporate tax rates when searching for new operational bases with the existence of solid data protection laws and privacy safeguards becoming a prime consideration.
Contrary to the European Commission, the ECJ has pointedly ignored the financial impact of its ruling. Whereas the EC argues that the unimpeded flow of data across borders is as essential to economic health as the free flow of goods and services, the European Court of Justice strongly disagrees. In their ruling, the judges mention that personal data does not arise from a vacuum. Thus the human dimension, even in its digitised form, may not be ignored. In a roundabout way, the ECJ ruling reaffirms that now unfashionable notion that not all thing equal money.
The ECJ ruling puts a damper on the secretive negotiations between the US and Europe over a comprehensive transatlantic trade deal that includes a number of reportedly highly contentious provisions on privacy and the treatment of personal data. Already made more complicated by the revelations of whistle-blower Edward Snowden – who exposed a vast US/UK spying operation that potentially affects every mobile phone and computer user in the world – the negotiations are now perilously close to breaking down over the ECJ’s effective ban on the export of personal data from the EU.
Rather than criticise the ECJ for insisting EU law is adhered to, indignant US officials and industry reps may want to ask their government to get its snoops under control. While some progress has been made – the US Freedom Act stops spying agencies from collecting meta data – information stored on American servers is far from secure. While Europe indeed has a much more robust legal framework in place to protect personal data from unauthorised access, privacy advocates hardly have cause for celebration. Last May in the wake of the terrorist attacks on Charlie Hebdo, the French parliament awarded the country’s intelligence services sweeping powers to intercept email traffic and tap phone conversations. France’s security agencies are now allowed to plant black boxes directly onto network nodes and servers in order to monitor digital traffic.
Meanwhile, the master snoops at the UK’s Government Communications Headquarters (GCHQ) merrily harvest untold terabytes of data each day tapping wholesale into submarine cables, microwave transmissions, and satellite links without much oversight.
In a sense the ECJ judges and advocate general, however brave and well-meaning, are fighting a losing battle. Due to its very nature, digital data is hard to safeguard – it may easily be tapped into, transmitted, copied, and analysed. All this can be done without leaving a trace. Whilst a welcome statement, the latest ECJ ruling also smacks of wishful thinking: it reads like a description of a digital utopia – as much desired as impossible to attain.
By Wim Romeijn – Editor, CFI.co