An Irish judge has rendered a preliminary judgment that may have sweeping consequences for U.S. e-commerce firms. The judgment involves a case by a European privacy activist against Facebook. Businesses like Facebook, Google and Microsoft use an arrangement called Safe Harbor (which I’ve written about at length) to export personal data from Europe to the U.S. They also base their operations in Ireland for tax reasons, and because they see Irish privacy officials as more flexible than their mainland European counterparts. The activist claimed that the Safe Harbor arrangement didn’t protect his personal data, because Snowden’s revelations about NSA surveillance shows that the U.S. don’t protect the privacy of foreigners. The judge seems inclined to think that he’s right.
What does the ruling actually involve? So far, nothing binding. The judge hasn’t ruled directly on the major arguments of the privacy activist, because he believes they involve European Union law rather than Irish law. What he has done is to refer the key questions to the European Court of Justice (ECJ), which serves as a kind of Supreme Court on questions of how to interpret European law. This is how everyday judicial politics goes in the European Union — the ECJ’s role is to resolve exactly this kind of query. However, the judge has presented the case to the ECJ in a way that seems designed to get the higher court to rule that the Safe Harbor is incompatible with European human rights standards, and hence invalid.
Since the Safe Harbor was negotiated, Europe has introduced a Charter of Fundamental Rights which explicitly includes the right to privacy. The judge says that it is “not immediately apparent” that the Safe Harbor regime is compatible with the charter, which is a polite way of suggesting to the superior court that it obviously has to rule against Safe Harbor if it doesn’t want to trample over basic European constitutional rights.
The judge also notes in passing that Irish and German law are identical in how they define the right to privacy within the home. This may be a canny way of highlighting the political costs of ruling the wrong way. Over the past few years, the German Constitutional Court has been indicating in increasingly visible ways that the German constitution trumps ECJ rulings when the two come into conflict. The ECJ has managed to build up a lot of informal authority, which might be badly damaged by a direct confrontation with the German Constitutional Court. Such a confrontation might happen if the ECJ comes out with a ruling that effectively limits the privacy of German citizens.
So which way is the ECJ likely to rule? Very hard to say. On the one hand, the ECJ has recently made two major rulings protecting the personal data of European citizens — overturning a law requiring telecommunications companies to retain data, and requiring Google to respect the “right to be forgotten.” The Irish judge quotes the first of these judgments at length in his ruling, saying that it indicates that Safe Harbor is problematic. On the other, when the ECJ was asked a number of years ago to examine another agreement between the E.U. and U.S. on privacy, it found that European privacy law had big exceptions for national security issues (however, this ruling was made before the Charter of Fundamental Rights was adopted).
The ECJ is a canny political actor, and is in a political bind. Its most recent rulings would seem to suggest that it should find against Safe Harbor, on the basis that it exposes the private data of European citizens to American spies. However, it will be under intense political pressure from some member states not to rule against Safe Harbor. In particular, the United Kingdom is likely to be very worried about a ruling which might create a precedent for broader restrictions on spying in Europe. The U.K. intelligence agency, GCHQ, has not only been happy to gather information on the citizens of other European countries, but claims that it can legally gather data on the online activities of U.K. citizens too. It furthermore has benefitted from a close relationship with the NSA. Hence, it is likely that the U.K. (and perhaps other big states, too) will argue strongly for the ECJ to rule that the privacy activist has no case.
If the ECJ rules that Safe Harbor is invalid, what next? Potential near-disaster for big U.S. e-commerce firms like Facebook, Google and Microsoft, which are heavily exposed to European markets, and rely on European citizens’ personal data. The death of Safe Harbor would mean that they were not able to legally export personal data, potentially crippling their business model. Nor could they substitute alternative arrangements (such as contracts), since these arrangements would not provide any protection from the NSA. Firms would of course protest volubly, and get the U.S. administration to fight on their behalf.
Over time, the E.U. and the U.S. would try to work out a deal, as they did when they first thrashed out Safe Harbor (which was itself the product of apparently irresolvable differences between the E.U. and U.S.). However, any potential deal would probably require extremely difficult concessions from the U.S. Unlike previous negotiations, it would take place under the shadow of a restrictive court ruling — and E.U. officials are no more capable than their U.S. counterparts of striking bargains that are flagrantly against the law.
The U.S. isn’t used to legally restricting its ability to spy on its allies, or changing its domestic arrangements for the convenience of foreign powers. This time, it would almost certainly have to, if it wanted to avoid a protracted dispute that would be very damaging to U.S. economic interests. For a long time, the interdependence of the U.S. economy with the economies of other industrialized democracies has been a source of political strength. In the near future, it may become a source of weakness.