FILE - In this Aug. 11, 2019, file photo an iPhone displays the apps for Facebook and Messenger in New Orleans. The European Union’s top court ruled Thursday, July 16, 2020 that an agreement that allows big tech companies to transfer data to the United States is invalid, and that national regulators need to take tougher action to protect the privacy of users' data. It will no longer simply be assumed that tech companies like Facebook will adequately protect the privacy of its European users' data when it sends it to the U.S. Rather, the EU and U.S. will likely have to find a new agreement that guarantees that Europeans' data is afforded the same privacy protection in the U.S. as it is in the EU, which has some of the toughest standards in the world. (AP Photo/Jenny Kane, File)
The European Union’s top court ruled Thursday that an agreement that allows thousands of companies — from tech giants to small financial firms — to transfer data to the United States is invalid because the American government can snoop on people’s data.The ruling to invalidate Privacy Shield will likely complicate business for around 5,000 companies, and it could require regulators to vet any new data transfers to make sure Europeans’ personal information remains protected according to the EU’s stringent standards.It will no longer simply be assumed that tech companies like Facebook will adequately protect the privacy of its European users’ data when it sends it to the U.S. Rather, the EU and U.S. will likely have to find a new agreement that guarantees that Europeans’ data is afforded the same privacy protection in the U.S. as it is in the EU.
Privacy activists hailed the court ruling as a major victory, while business groups worried about the potential to disrupt commerce, depending on how the ruling is implemented. Companies like Facebook routinely move such data among their servers around the world and the practice underpins billions of dollars in business.
- – US adds new sanction on Chinese tech giant Huawei
- – Experts say Twitter breach troubling, undermines trust
- – Apple wins big EU court case over $15 billion in taxes
He first filed a complaint in 2013, after former U.S. National Security Agency contractor Edward Snowden revealed that the American government was snooping on people’s online data and communications. The revelations included detail on how Facebook gave U.S. security agencies access to the personal data of Europeans.
Though the legal case was triggered by concerns over Facebook in particular, it could have far-reaching implications not only for tech companies but also businesses in sectors like finance and the auto industry.
Things like emails or hotel reservations between the U.S. and Europe would not be affected because there is no way to conduct that business without data crossing the border. But in other cases, such as with Facebook, for example, messages between Europeans would have to stay in Europe, which can be complicated and require their platform to be split up, Schrems said.
The simple act of using Facebook, Snyder claimed, negated any user’s expectation of privacy: There is no privacy interest, because by sharing with a hundred friends on a social media platform, which is an affirmative social act to publish, to disclose, to share ostensibly private information with a hundred people, you have just, under centuries of common law, under the judgment of Congress, under the SCA, negated any reasonable expectation of privacy.
Companies use legal mechanisms called standard contractual clauses that force businesses to abide by EU privacy standards when transferring messages, photos and other information. The clauses — which are stock terms and conditions — are used to ensure the EU rules are maintained when data leaves the bloc.
The Court of Justice of the EU ruled Thursday that those clauses are still valid in principle. However, it declared invalid the Privacy Shield agreement between the U.S. and EU on data transfers over concerns that the U.S. can demand access to consumer data for national security reasons.It said that in cases where there are concerns about data privacy, EU regulators should vet, and if needed block, the transfer of data. That raises the prospect that EU regulators will block Facebook, for example, from transferring any more European data to the U.S.
The European Commission said it was studying the ruling and stressed that a system is needed to allow data transfers while also protecting privacy. It said it was in touch with its counterparts in the U.S. on how to proceed.“I see it as an opportunity to engage in solutions that reflect the values that we share as democratic societies,” European Commission Vice President Vera Jourova said.U.S. Secretary of Commerce Wilbur Ross said the U.S. was “deeply disappointed” by the ruling and we “hope to be able to limit the negative consequences to the $7.1 trillion trans-Atlantic economic relationship.”
Experts said the full impact on businesses will largely depend on how authorities respond.Full Coverage: Technology“EU regulators will need to adopt a pragmatic approach to enforcement, allowing businesses a period of grace in which to implement alternative arrangements,” said Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP in London.Government surveillance of personal data is something the U.S. in its turn accuses China of doing through tech companies like Huawei. And it highlights the growing importance of data as the basis of modern business and politics. Data drives much of the world’s largest companies, like Facebook, Google, Alibaba and Amazon, and is also prized for national security to prevent extremist attacks, for example. Mining large sets of people’s data has also become crucial to winning elections, such as the use of Facebook data for Donald Trump’s presidential victory in 2016.
Alexandre Roure, a senior manager at Computer & Communications Industry Association, said the decision “creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic that rely on Privacy Shield for their daily commercial data transfers. “We trust that EU and U.S. decision-makers will swiftly develop a sustainable solution, in line with EU law, to ensure the continuation of data flows which underpins the trans-Atlantic economy.”
To begin with, over the course of the coming weeks, users will be prompted to review their privacy settings under the updated Privacy Checkup tool.According to the company, Off-Facebook Activity "marks a new level of transparency and control", one that the firm has had to rebuild certain parts of their system for.
___Philipp-Moritz Jenne in Vienna contributed to this report.
In “ A Privacy-Focused Vision for Social Networking ,” a 3,200-word essay that Zuckerberg posted to Facebook on March 6, he says he wants to “build a simpler platform that’s focused on privacy first.” In apparent surprise, he writes: “People increasingly also want to connect privately in the digital equivalent of the living room.” Sign up for The Download Your daily dose of what's up in emerging technology Zuckerberg’s essay is a power grab disguised as an act of contrition.