A Blog by Jonathan Low


Mar 27, 2015

Personal Data Gets Its Day in Court: Safe Harbor or Uncharted Shoals?

When it comes to the use of personal information on the internet, there are few who believe any locus provides much of a harbor - and no one thinks any are safe. 

The immediate issue is the legality of transferring personal information gathered for ecommerce purposes in Europe to servers in the US.

The larger question is who controls personal information: the users who believe that once you sign on you have surrendered your rights - or the individuals who maintain that it is theirs to do with as they please.

Digital commerce will soon be synonymous with commerce generally. Digital ad spending alone reached $34 billion in Europe last year. To work, all of those processes required the free flow of information.

Eliminating some names presents technical challenges, but then it was the roll-up of millions of mortgages without due consideration of their inclusion's implications that sparked the financial crisis. That said, preventing the transfer of information stifles a primary benefit of the internet. The potential good news here is that it may be sparking further innovation on information sourcing and using. JL

Sam Schechner and Valentina Pop report in the Wall Street Journal:

Companies on both sides of the Atlantic have expressed concern at the possible scrapping of Safe Harbor, because it concerns not just advertising but also things like payroll information and company phone books.
In a gold-curtained courtroom here, a debate is playing out over the transfer of personal data used for billions of dollars in digital advertising.
The European Court of Justice—the European Union’s top court—heard arguments Tuesday in the biggest threat yet to a legal mechanism that allows Facebook Inc. and thousands of other firms to transfer European personal data to U.S.-based servers.
Following revelations of widespread surveillance by the U.S. National Security Agency, plaintiff Max Schrems, an Austrian law student, made the case that the EU-U.S. agreement, called Safe Harbor, no longer guarantees the privacy of European residents. He was supported by lawyers representing the governments of Belgium, Poland and Austria.
“Mass surveillance is manifestly incompatible with the fundamental right to privacy and data protection,” Noel Travers, a lawyer for Mr. Schrems, told the court on Tuesday.
Mr. Travers acknowledged that he has “no evidence of the NSA specifically having accessed my client’s data” but said that Mr. Schrems’s right to privacy was violated and that in itself can be considered harmful.
Austrian law student Max Schrems posing before his computer in a 2011 photo. Mr. Schrems brought the original challenge over data-protection rules in an Irish court. Photo: Associated Press
The case is a surprise challenge in a wave of disputes between the EU and U.S. over online privacy. European officials look at the protection of personal data as a fundamental right on par with free expression; the U.S. regulates privacy mostly as a consumer-protection issue. That divide was further highlighted last year when the same court decided that a “right to be forgotten” applies to search engines like Google Inc.

At stake in the case is traffic in a major currency of the trans-Atlantic economy: personal information. For companies that offer ad-supported services, personal information—like the location of a Web user—allows the sale of targeted advertisements. Digital ad spending in Western Europe is expected to total $34.81 billion in Europe in 2015, up 8.5% from last year, according to research firm eMarketer.
In the U.K. alone, three American firms—Google, Facebook and Twitter Inc.—will account for more than half of the overall digital ad spending of £8.06 billion (about $12 billion) in 2015, eMarketer says.
Safe Harbor was a stopgap deal adopted in 2000 after the EU found that the U.S.’s patchwork of different data-protection regimes wasn’t stringent enough to meet European standards. Under the agreement, the EU let data flows continue for companies that self-certify they are in line with EU-data protection rules.
Mr. Schrems challenged Facebook’s compliance with EU data-privacy rules in Ireland, where the company’s European operations are based. The Irish data protection authority rejected Mr. Schrems’s challenge, a move that he appealed in the country’s highest court, which asked the EU’s top court whether national authorities can suspend Safe Harbor when there are “extraordinary circumstances.”
Facebook declined to comment on the case, but says that it provides user data to governments only when laws force it to do so.Safe Harbor’s defenders—including the European Commission, the EU’s executive arm—respond that the question of how to protect Europeans from overzealous spying is already part of talks between the EU and the U.S. to address European concerns about the agreement. They say any move by the court to scrap it now would upset trans-Atlantic ties.
“It would have quite serious effects...risking disruption of trade that carries significant benefit for the EU and its citizens,” said a representative of the U.K. government at Tuesday’s hearing.
Several EU countries—Belgium, Austria, Poland—lined up to support Mr. Schrems on Tuesday. “Safe Harbor is not in fact for the data of EU citizens, but is at best a safe harbor for data pirates,” Gerhard Kunnert, a lawyer representing the Austrian government, told the court.
The lead judge on the case, Thomas von Danwitz, also appeared sympathetic. He grilled the lawyer for the European Commission on the language used in the Safe Harbor text, which the lawyer admitted is “no model of clarity.”
If Safe Harbor is really compromised, then this creates a serious legal vacuum.
—Privacy lawyer Eduardo Ustaran
Mr. von Danwitz was also the lead judge when the court last year struck down a data-retention law obliging telecom companies to store the data of Europeans for law enforcement.
Companies on both sides of the Atlantic have expressed concern at the possible scrapping of Safe Harbor, because it concerns not just advertising but also things like payroll information and company phone books. European firms like Ericsson and BT Group PLC often rely on U.S. service providers or have U.S.-based subsidiaries that are Safe Harbor-certified. There are other mechanisms to transfer data between the EU and the U.S., but they are costly because they involve contractual changes and lengthy approvals.
“If Safe Harbor is really compromised, then this creates a serious legal vacuum,” said Eduardo Ustaran, a privacy attorney who works for several U.S. tech firms. “It would disrupt not just data flows, but trade relations between Europe and the U.S.”
Some companies say they may be forced to build more servers in Europe if the agreement is scrapped or scaled back. Twitter said in a securities filing earlier this month that revocation of Safe Harbor could require “duplicative, and potentially expensive, information technology infrastructure and business operations in Europe.”
“Without formulating an alternative this would be a major blow to the trans-Atlantic digital economy,” said Thomas Boué of the Software Alliance, an umbrella lobby group for the software industry.
Mr. Schrems, for his part, dismisses those concerns. “Safe Harbor was always broken but after the [Edward] Snowden revelations, even the European Commission admits it needs improvement,” he said.
A nonbinding opinion by the court’s advocate general will be published on June 24, with a final verdict expected before October.


Post a Comment