The European Court of Justice (ECJ), the EU’s highest court, has struck down the “safe-harbour agreement” with America covering consumer data. EU rules say that citizens’ data can only be transferred to countries that comply with EU privacy rules. For the past 15 years, American firms have self-certified that they do – under safe harbour. Now the ECJ has decided that the law is invalid because it prevents European authorities from taking action if citizens say their right to privacy has been breached.
The case was triggered by an Austrian law student, Max Schrems, who asked the Irish Data Protection Commission what information about him Facebook’s Irish subsidiary was passing on to US authorities. His move followed Edward Snowden’s revelation that the US National Security Agency had accessed foreign citizens’ data stored by tech firms.
What the commentators said
“If you’re not paying, you’re the product,” said Ben Wright in The Daily Telegraph. Companies that provide their online services for free, such as Facebook and Twitter, make money by collecting users’ data and selling it to advertisers. Everything from our cat pictures to our credit-card details gets stored for this purpose. Most data are transferred to servers in the US, because many digital firms are American.
“Now that business model has been dealt a huge blow.” The ruling “puts at risk the thriving transatlantic digital economy”, the American commerce secretary, Penny Pritzker, told the FT. American firms may now have to set up infrastructure in Europe to house US data. “We’re talking about millions of dollars of impact here,” said Jan Rezab of Socialbakers in the FT. “This is not pocket change.” The upshot may be the ‘balkanisation’ of the web, whereby companies tailor their services to each country – closing down the relatively open borders of the internet.