Privacy activist Max Schrems has just won an extraordinary legal victory against U.S. surveillance of European citizens. (License-free photo courtesy of Europe-v-Facebook)

The European Court of Justice, Europe’s highest court, has just ruled that the Safe Harbor, an arrangement between the European Union and the United States allowing for the transfer of personal data, is legally invalid. Few non-specialists have heard of the Safe Harbor. Even so, this ruling is going to send shock waves through both Europe and the United States. Here’s how it happened (we talk about the implications in a separate post).

The Safe Harbor is the cornerstone of transatlantic e-commerce

Over the last 15 years, major U.S. e-commerce firms, such as Facebook, Google, Microsoft and Amazon, have developed big markets in Europe. They all rely on an arrangement called “Safe Harbor” to export personal data from Europe to the United States. The Safe Harbor was negotiated between Europe and the United States after a previous transatlantic dispute in which Europe threatened to stop transatlantic data flows. Europe has comprehensive legislation guaranteeing the privacy of E.U. citizens and preventing businesses from using their personal information in various potentially harmful ways. The United States does not have comprehensive privacy legislation (although it does protect the data of U.S. citizens against government intrusions, and provides some protections, e.g. for health data).

In the 1990s, European officials feared that businesses could take data on E.U. citizens out of Europe, and do whatever they wanted with it abroad. They tried to push the United States to introduce new laws protecting the information of European citizens. The United States wasn’t willing to do this. However, after difficult negotiations (which one of us describes here), they came up with a compromise: the Safe Harbor. Businesses that want to export data can commit to the “principles” of the Safe Harbor, which are watered down versions of European privacy law. If they break their commitments, they may be liable to sanctions from a self-regulatory organization or the Federal Trade Commission.

This complex arrangement has not worked nearly as well as people hoped. It was already being renegotiated by the European Union and the United States. The new court decision has fundamental consequences. It not only invalidates Safe Harbor, but makes it clear that any new arrangement has to be fundamentally different from the old one. It not only has to protect European citizens better against U.S. e-commerce firms, but has to protect them against the U.S. state.

The court decision has overturned the game board

The European Court of Justice decision stems from an earlier decision by an Irish court. Max Schrems, an Austrian lawyer and privacy activist, has done everything he can over the last several years to be a thorn in Facebook’s side. Most recently, he took a court case against Facebook, arguing that it was breaching his fundamental rights as an E.U. citizen, by exporting his data to the United States, where U.S. security agencies could demand it at will. U.S. laws don’t really protect non-U.S. citizens against U.S. spying agencies. Europeans are foreigners, and are thus considered fair game.

Schrems took this court case to Ireland, because that’s where Facebook’s European operations are based. He had tried and failed to get Ireland’s privacy officials to take action against Facebook; Irish officials have been notoriously protective of U.S. e-commerce firms (this, together with tax benefits, helps explain why many U.S. e-commerce firms have their European headquarters there).

The judge in the Irish case referred some of the key questions in the case to the European Court of Justice, which is supposed to interpret European law in complex situations. He did so, however, in a way that seemed calculated to get the European Court of Justice to think carefully about European citizens’ privacy rights, asking the Court about the implications of U.S. surveillance, and pointing to a previous case in which the court had ruled that Europeans had a broad constitutional right against government surveillance. The court has now ruled that Safe Harbor is invalid.

The ruling has big implications for U.S. companies — and U.S. spying

The ruling has very serious implications for companies, such as Facebook and Google. Their business models in Europe depend on access to Europeans’ personal data. Unless they want to close down their European operations, with potential vast losses in earnings and global market share, they are going to have to take some difficult steps. First, they could reengineer that data on European citizens stays in Europe, and hence complies with the ruling. This is likely to be very difficult and very expensive; while they have data centers in Europe, they will have to re-engineer their organization and data practices to keep European and U.S. data entirely distinct from each other. This will not only involve corporate re-engineering, but will also prevent them from taking advantage of a host of economic efficiencies.

Otherwise, they can try to continue business as normal under conditions of legal uncertainty for a period of time, perhaps using contractual arrangements while pushing the U.S. government to make the kind of serious concessions on surveillance that might satisfy the Court. This will be hard. Although the United States has agreed in principle to introduce new laws protecting the rights of Europeans whose data is transferred as part of police cooperation, surveillance and spying are very, very different. Furthermore, it is likely that contracts (in which Europeans would specifically agree to have their data transferred overseas) will be vulnerable to some of the same legal challenges as the Safe Harbor

What can be said with complete certainty is that U.S. e-commerce firms, who were already angry with the administration for hurting its international business model, will now be absolutely furious.

[Obama says that Europeans are using privacy rules to protect their firms against U.S. competition. Is he right?]

The U.S. administration is also in a tough bind. It can bargain with European negotiators, but it can’t bargain with European courts. The United States did not enter any formal briefs into the Facebook case to defend its position, a decision which it is likely now regretting (it probably didn’t expect that the case would ever get this far, and didn’t want to imply that a foreign court could have any jurisdiction over U.S. intelligence gathering activities).

The European Commission (the executive body of the European Union) is expected to have an emergency meeting on Wednesday. After that meeting, we may have a better idea of how the European Union is likely to try to deal with the ruling. Commission negotiators are going to find that their hands are tied by the court ruling. They will be simply unable to make concessions that they might otherwise be prepared to make, because they cannot ignore a constitutional ruling from the European Court of Justice without breaking the law. Any further negotiations will take place in the shadow of a potential veto from a European court which has staked out a very strong position on the fundamental privacy rights of E.U. citizens.

U.S. negotiators — who have been used to relatively amicable discussions with security-focused European officials, are likely to be faced with a much starker choice than they are used to. Do they throw U.S. e-commerce companies under the bus, accepting the economic damage to their business model (and likely political furor)? Or do they agree to unprecedented restrictions on their ability to spy on European citizens? Neither is likely to be a particularly attractive choice.