The European Union and the United States are about to give us some idea of how their negotiations over the Safe Harbor dispute are going. The European Court of Justice ruled that the Safe Harbor arrangement — a critical bridge for e-commerce firms and other businesses that need to move personal information across the Atlantic — was invalid, because it did not protect European citizens against U.S. surveillance. Companies like Facebook and Google are waiting with some trepidation to find out, since a collapse of negotiations might have very serious implications for their business model. Last week, I spoke to Max Schrems, the Austrian activist whose court case led to the European court ruling. Here’s what he has to say, in an interview that has been edited for style and length.
HF — Do you think that the discussions over Safe Harbor will lead to success or failure?
MS — Theoretically it could be partly successful – but only for companies that do not fall under U.S. surveillance laws. So I think that you could find certain areas of data transfer where you can make a deal, but I think it’s going to be very hard to reach an overall deal for all data transfers. The fundamental rights of Europeans are not negotiable. Changing them would be like changing the U.S. Bill of Rights. I think that the U.S. is not going to change its approach to national surveillance, so you have to find the places where these two things don’t clash with each other, such as ordinary transfers of human resources data, which doesn’t fall under mass surveillance laws. There you could possibly get a deal.
I think that what’s going on right now is that everyone’s preparing for a blame game. Everyone will say ‘I tried everything, and we tried until the last moment.’ Both parties will say it’s the other one’s fault. I think that no one wants to be the first one to say, ‘Well, actually, there’s not going to be a deal,’ because then they will get the blame. The problem is that neither party has enough leeway to make a deal. The Commission is bound by the European Court of Justice judgment, which is very clear, while the U.S. Department of Commerce isn’t really able to negotiate about national security issues. So it’s two sides negotiating in a room without the leeway to get a deal. That’s the core problem.
HF — What is the European Court of Justice, and why is its decision binding?
MS – It’s the Supreme Court of the European Union. When it holds that something is invalid or illegal under the Charter of Fundamental Rights, which is the equivalent of our Bill of Rights, then it is absolutely binding on any executive body like the Commission. The interesting thing in this case is that for the first time they have said that the essence of a right is being violated; I don’t think they’ve ever said that before. This means that the violation isn’t just out of proportion, but that it’s so far out of proportion that it is not measurable in terms of proportionality. That is something that the Commission just cannot override. If a Commission decision comes out that violates these findings again, the only thing that will happen is that it will be invalidated by the court again two months later, which doesn’t give any legal certainty to companies, because they will know that it’s just a ping-pong game between the Court and the Commission. I don’t see any sense in striking a deal that’s not going to hold up in court, because it’s not going to help companies.
HF — If there is no deal, what is likely to happen next?
MS — I think everyone’s going to move to standard contractual clauses [HF – an alternative means of sending data across the Atlantic] where that’s possible. It is possible for most data transfers. Unfortunately, it’s not possible for the big companies that are responsible for major data flows — the Googles and Microsofts and their like. These companies are going to be a massive issue because they have to be in the European market. A lot of them are actually serving the whole world out of Europe for tax avoidance reasons. Facebook has 82 percent of its worldwide user base registered in Dublin, not in California. Only Americans and Canadians have a contract with Facebook U.S. Everyone else has a contract with Facebook Ireland.
These companies will have major issues. They have different options. They can reorganize and move out of Europe to avoid jurisdiction. Then they might have to pay taxes again, which would be a nice side effect! Microsoft have said that they will not have factual access to the data so that they do not fall under U.S. law. They say that if we are Microsoft, and we outsource the data to Deutsche Telekom in Germany so that we don’t have factual access, if this is properly done, that would be an option. This creates a barrier, which works for a lot of cloud services where you only have one user and only Europeans. Facebook has a huge issue [in doing this] because it would have to split the network in two.
A lot of people say that consent is the answer — that people consented to have the data shipped to the U.S. anyway. The problem is that everyone ignores that consent has to be specific, informed, unambiguous and freely given, and unless Facebook puts up a post saying, ‘We’re sharing all the data with the NSA – do you agree, yes or no?’ they’re not going to be able to get valid consent in Europe. Doing this would also clash with the confidentiality requirements of U.S. gag orders — officially, they are not allowed to say that they are sharing the data. On the one hand, they have to inform you under European Union law, but on the other hand they are not allowed to inform you under U.S. law. Basically, I think these companies are hoping that there won’t be any enforcement actions.
HF — So what are people like you likely to do if the deal fails?
MS — A number of European data protection authorities are going to go after companies and say that you’re not allowed to outsource your data to the Google cloud anymore, you’re not allowed to outsource your data to the Microsoft cloud anymore. That’s going to harm business.
On the consumer side, if you get together as we did in a class action, you can sue these companies for crazy amounts of money, saying you are violating my right to privacy, you are still forwarding my data to the U.S., and I want damages. That’s what we did in Austria — we only asked for $500 as a token amount, but you could easily argue for $10,000 a person. If some lawyer gets the idea that this is a crazy cash cow, anything can happen.
That’s going to be the result. I’m not really happy with it because I would rather solve the issue in ways that are not escalating it and splitting up the Internet in a certain kind of way. But on the other hand, we have two jurisdictions that are in part not compatible with each other. The solution up to now has been that Europe didn’t enforce its fundamental rights. It’s as if the U.S. said we’re not going to enforce our law anymore. If you’re an international company, you just have to deal with it somehow. It’s going to be hard. It would be wonderful to have an agreement between the two parties to resolve the situation, but I’m fed up with the solution being just sticking to U.S. law and ignoring European law. If you’re doing business in a different country, you have to follow the law, just as Volkswagen is facing huge issues in the U.S. with its emissions scandal. If you mess up in the U.S., you face a class action that might ruin your business. It’s not a pleasant situation, but it’s what may happen in the worst case.