For the past two weeks, US officials have been grilling TikTok and other China-based tech giants over potential concerns surrounding the data security of Americans who use these apps, not to mention the national security implications of these apps’ alleged allegiance to the Chinese government. Now, it’s looking like the tech giants based on American soil are having that same level of scrutiny lobbed right back in their direction.
Earlier today, the Court Justice of the European Union — the authority responsible for making sure the EU’s laws are equally applied across its twenty-seven member countries — struck down the long-running rules that allowed American tech companies like Facebook and Google to freely process and store any data from the EU using their US-based servers. The reasoning behind the new ruling, ironically enough, is close to a word-for-word copy of the same kind of government surveillance anxieties surrounding the foreign app crackdown currently being contemplated in the US.
Reading through the ruling, the Court explains that they first caught wind of these issues thanks to a lawsuit filed back in 2015. That year, an Austrian named Maximillian Schrem lodged a complaint with local authorities on the grounds that the data from his Facebook account was largely being processed and stored by Facebook servers in the US, with no way to actually opt-out of this sort of data-storage. And he was right: since its inception Facebook’s been building up oodles of data centres across the US, taking up dozens of buildings and thousands of square feet a pop.
In comparison, the company only built out its first EU-based data centre in Sweden back in 2013, and only started building out its second a full year after Schrem’s suit went through. Their third EU-based centre is only going to be built out to be traffic-ready in 2021.
According to the docket, Scherm’s biggest beef with Facebook, in this case, wasn’t only that he couldn’t opt-out of these transfers, but that the US doesn’t “offer sufficient protection against access by the public authorities to the data transferred to that country.” Again, he was right on the money with this; while US authorities are required to jump through a few legal-ish hoops to get any sort of digital data on a given user, we’ve proven again and again that authorities here have found ways to avoid those hoops entirely.
While the EU courts initially disagreed with Schrem on the grounds that “the United States ensured an adequate level of protection,” evidently, they’ve come to terms with the fact that our U.S. do not actually provide very much protection at all. We’ve seen them siphon off data from Twitter and Facebook alike to surveil people at protests over the years, not to mention what we’ve seen handed off to the likes of Homeland Security, all in a way that’s virtually impossible to opt-out of.
The EU Courts decided that pulling these sorts of moves can be considered a violation of the promises American companies have been making to “protect” data under GDPR. As a result, they’ve decided to roll-back the “Privacy Shield” agreements they held with the US to transfer their data abroad since they were introduced back in 2016.
#ECJ: the Decision on the adequacy of the protection provided by the EU-US Data Protection Shield is invalidated, but @EU_Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid #Facebook #Schrems pic.twitter.com/BgxGAvuq3T
— EU Court of Justice (@EUCourtPress) July 16, 2020
Under the Privacy Shield’s litany of laws, there was a proposal to have companies hoovering data on US soil sign a contract with their European counterparts each time they plan on doing that transatlantic transfer, even if that transfer’s only happening for “processing purposes,” and even if both sides of the deal already participated in the Privacy Shield agreement. Under these rules, the executives Facebook’s Irish HQ would be required to hound its US-based buddies with a written contract explaining what can and can’t be done with their data once it hits American grounds. If the American team refuses to sign the contract, no data transfer can occur.
It sounds like a good idea until you realise that, well, many of the issues we have with potential domestic snooping is happening in spite of the sorts of privacy-protecting language written into laws like the CCPA. If our own authorities have already proven to be experts at finding loopholes in these sorts of contracts, then arguably, the answer isn’t more contracts on a transatlantic scale — it’s asking the US to actually crackdown on its own privacy practices.
While this case started with Schem’s ires surrounding Facebook, the truth is that this rollback could potentially apply to any American tech company processing the data of Europeans on American soil. As The Wall Street Journal pointed out, this also means that companies with a massive footprint abroad, like say, Apple, will have to decide whether the headache (and costs) of setting up a ton of servers across the Atlantic Ocean is worth the business that comes from working in the region.
One spokesperson from the Computer & Communications Industry Association — a lobbying group repping the likes of Amazon, Facebook, and Google — told the Journal that the crackdown on the Privacy Shield “creates legal uncertainty for the thousands of large and small companies on both sides of the Atlantic” that rely on this framework for their day-to-day operations. And until the EU Courts finish scrambling to instate some sort of law that protects it members’ privacy better than the Shield, every tech company — even those based in the EU proper — are being left in a certain degree of limbo, unsure of what can and can’t be condoned by their local authorities.
While locally-based companies are definitely sweating over the EU’s decision, it’s worth noting that none of them are going to be punted out of their European offices just yet. As Wilbur Ross, the US Secretary of commerce put in a statement regarding the EU’s decision, the Privacy Shield isn’t going anywhere just because it’s been proven to be effectively useless when it comes to American companies.
“Today’s decision does not relieve participating organisations of their Privacy Shield obligations,” he wrote.
“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.”
In the meantime, there could be more than five trillion US dollars left on the table if these transatlantic relationships grind to a halt. In order to kick that back into gear, the US will — hopefully — be forced to reckon with the consequences of giving its officials unfettered access to every piece of our digital data.