Protecting your privacy online is always a tricky business. It gets even trickier when multiple countries are involved.
That proved true once again in a Thursday legal decision by the European Union, which held that a data transfer standard between the EU and the United States doesn't adequately protect people's privacy. The ruling struck down a provision used by more than 5,000 companies, including Facebook and Microsoft.
The case came out of the Court of Justice of the European Union, invalidating the EU-US Privacy Shield, which allowed companies to send data belonging to EU citizens to the US. Under the EU's General Data Protection Regulation, data can be transferred out of its member countries only if there are adequate protections in place.
The Privacy Shield, established in 2016 by the US Department of Commerce, the European Commission and the Swiss Administration, had been considered a proper framework to protect that data.
Privacy laws that are acceptable for the US might not be acceptable for the EU, which has stricter standards on how companies can use and transfer citizens' data. That creates issues regarding international companies like Facebook and Microsoft, whose data isn't limited by national borders.
Also, if data gets transferred to the United States, it's open for collection under the US' government surveillance laws. That represents a major privacy concern and conflict for EU residents and tech companies, and could increase the pressure for surveillance reforms.
Despite the ruling, the US Department of Commerce said it'll continue to support the Privacy Shield program. In a statement, Secretary of Commerce Wilbur Ross said he was "deeply disappointed" in the court's decision.
"Data flows are essential not just to tech companies -- but to businesses of all sizes in every sector," Ross said. "As our economies continue their post-recovery, it is critical that companies -- including the 5,300-plus current Privacy Shield participants -- be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield."
Push for US surveillance reform
Maximilian Schrems, an Austrian privacy advocate, challenged this framework in 2019, arguing that his Facebook data transferred to the US couldn't be properly protected because of the US' surveillance programs being able to access that data. The case is referred to as Schrems II because the activist also successfully challenged the Safe Harbor framework in 2015.
Schrems argued that though surveillance programs in the United States extend protections to US citizens, they don't provide that same safety for data belonging to foreign residents.
"As the EU will not change its fundamental rights to please the [US National Security Agency], the only way to overcome this clash is for the US to introduce solid privacy rights for all people -- including foreigners," Schrems said in a statement. "Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."
US surveillance laws like the Foreign Intelligence Surveillance Act don't extend protections to non-US citizens. The ruling by the EU Court of Justice noted that because of that, data transfers to the US aren't properly protected, said Grabiela Zanfir-Fortuna, a senior counsel for the Future of Privacy Forum.
"If the law will remain the same, the conclusion of the EU Court of Justice is not likely to change in the future," she said.
In a statement Thursday, Microsoft's chief privacy officer, Julie Brill, said that though the company's data transfers haven't been affected, because of its contracts, the company would take steps to challenge surveillance demands from the US government.
"Our customers can be assured that we are committed to ensuring their data will continue to flow through our services, that we'll continue our work to provide greater protections based on the issues raised in today's ruling, and that we'll work collaboratively with governments and policymakers as they shape new approaches," Brill said.
What happens to data transfers now?
In its ruling, the Court of Justice said the Privacy Shield doesn't protect EU citizens from US surveillance, but it said the "standard contractual clauses" between companies and countries are still in effect.
While the decision prevents companies from using the Privacy Shield to transfer data between the EU and the US, they're still allowed to use standard contractual clauses, which Microsoft and Facebook said they're already doing.
"We welcome the decision of the Court of Justice of the European Union to confirm the validity of Standard Contractual Clauses for transfers of data to non-EU countries," Eva Nagle, Facebook's associate general counsel, said in a statement. "These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens."
The Standard Contractual Clauses have been upheld, but maybe not for long. The court's judgment Thursday is leaving that call for each nation's data protection authority to make. It could suspend any of those contracts that don't meet the EU's data protection standards, said Caitlin Fennessy, a research director for the International association of Privacy Professionals.
Fennessy is a former Privacy Shield director at the US International Trade Administration.
"It requires companies to conduct a costly and complex analysis of the sufficiency of protections for data provided by the laws of countries as diverse as the US, China, India and Brazil," Fennessy said in a statement. "The decision will reinforce and enhance the role of privacy officers and the need for comprehensive, robust privacy programs in organizations."
Among US lawmakers, there's concerns that unless a new standard is developed, the EU court's decision will have a significant effect on American businesses that operate in Europe. Sen. Roger Wicker, chairman of the Senate commerce committee, and Sen. Jerry Moran, chairman of its subcommittee on consumer protection, said on Friday that without the EU-US Privacy Shield, there would be a troubling effect for US businesses.
"This would cause significant disruptions to data transfers and trade activity between the EU and the United States. We need to work quickly to establish a successor framework that supports economic development and adequately protects consumer data across borders," the two lawmakers said in a joint statement.