This time, it’s not Facebook’s fault
Facebook has a terrible reputation among mainland European privacy regulators. In part, this may be because of inflammatory statements like Facebook CEO Mark Zuckerberg’s claim that people don’t really care about privacy any more. Yet given Facebook’s business model – which involves gathering detailed personal data about its users before serving them up on a platter to advertisers – it’s unlikely that privacy officials would love Facebook even if it had a more diplomatic CEO.
However, even if Facebook abandoned most of its controversial policies, it would not have been able to avoid this preliminary opinion. The Advocate-General isn’t worried about what Facebook does to its users’ personal data. He is worried about what U.S. surveillance agencies can do with Facebook’s data after Facebook has gathered it.
The target is bigger than Facebook
Facebook uses the so-called “Safe Harbor” arrangement to transfer its users’ personal data from Europe to the U.S. It’s not alone in this – other big e-commerce companies like Google and Amazon (whose CEO Jeff Bezos owns the Washington Post) use the Safe Harbor too. As this academic article that one of us wrote in 2003 discusses, Safe Harbor was a set of rules negotiated by the EU and U.S. to allow U.S. companies to transfer the personal information of European citizens to the U.S.
The European Court of Justice was asked to rule in a complex case over the relationship between data protection officials and Safe Harbor. The Advocate-General finds in his preliminary opinion that the EU’s decision to accept Safe Harbor was “invalid.” He says that the Safe Harbor contradicts European law, including the EU’s Charter of Fundamental Rights, which, like the U.S. constitution, lays out and protects the basic rights of European citizens. His argument, which refers to Edward Snowden’s revelations, is that the Safe Harbor allows data to be transferred to the U.S. which can then be “accessed by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance.”
In plain language, the Advocate-General is saying that Safe Harbor is broken. It doesn’t protect the rights of European citizens, because it allows the NSA and other U.S. security agencies to rifle indiscriminately through these citizens’ data. Hence, the EU needs to junk it.
This may be a very big deal
The Advocate-General’s opinion isn’t binding. It’s possible that the European Court of Justice will disagree. However, both the Advocate-General and the Irish judge who referred the case to the European Court of Justice have interpreted European constitutional rights in ways that will make it tough for the court to make a fundamentally different ruling.
If the European Court of Justice agrees with its Advocate-General, the consequences are potentially enormous. The Safe Harbor will be overturned. U.S. businesses will no longer be able to use it to legally bring the personal data of European citizens to the U.S. Nor will they have any obvious alternative way to transfer data – the other standard methods will almost certainly be vulnerable to the same legal challenges. The fundamental problem is that U.S. companies cannot provide any guarantees that the NSA and other U.S. security agencies won’t help itself to their data, since they don’t control the U.S. government.
Without access to personal data, Google and Facebook’s business model in Europe will be seriously damaged, and maybe even crippled. Perhaps they could completely compartmentalize their European data from their US data, and keep it within European borders under European law. But that is likely to be very hard indeed.
The U.S. may be facing a tough decision
An adverse court ruling will face the U.S. and EU with really difficult choices. Both sides have already been talking about revising Safe Harbor, and would like to reach a deal. However, finding that deal would suddenly become far more difficult. European negotiators would not be able to make concessions on the rights of European citizens, without turning into scofflaws and trashing the Charter that is the closest thing that Europe has to a constitution. While the EU and U.S. have both agreed in principle to an Umbrella Agreement that would give European citizens more privacy rights in U.S. courts, the agreement doesn’t cover consumer information, and has gaping exceptions for national security. In its current form, it is surely inadequate to provide the kinds of remedy that the Advocate-General says is necessary.
Thus, if the court rules as expected, the U.S. has to choose between two unattractive options. The first is to refuse to make any concessions on surveillance, hence endangering the business models of big and influential U.S. e-commerce firms, and making life much harder for other big corporations that e.g. have to transfer personnel files across borders. The second is to make real concessions to the EU on spying, moving away from indiscriminate surveillance to a system that would provide real protections for European citizens.
The U.S. won’t be able to count on concessions from European negotiators as it has in the past, since these negotiators will be bound by the Charter, and the European Court of Justice’s interpretation of it. Big e-commerce firms have already made their wants known – their representative organization in Europe is telling negotiators to address the Advocate-General’s concerns before the court issues a ruling. International relations scholars sometimes wonder whether Edward Snowden’s revelations have had real consequences for international politics. It may be that they will have their answer very soon.