This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html

The article has changed 11 times. There is an RSS feed of changes available.

Version 7 Version 8
Data Transfer Pact Between U.S. and Europe Is Ruled Invalid Data Transfer Pact Between U.S. and Europe Is Ruled Invalid
(about 2 hours later)
Europe’s highest court on Tuesday struck down an international agreement that had allowed companies to move people’s digital data between the European Union and the United States. Europe’s highest court on Tuesday struck down an international agreement that allowed companies to move people’s digital data between the European Union and the United States, leaving the international operations of companies like Google and Facebook in a sort of legal limbo.
The ruling, by the European Court of Justice, could make it more difficult for global technology giants including the likes of Amazon and Apple, Google and Facebook to collect and mine online information from their millions of users in the 28-member European Union. The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.
The court declared the data-transfer agreement, which is known as Safe Harbor, immediately invalid. The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. Many European countries have widely varying stances towards privacy.
Although most big multinational companies and their lawyers have hammered out side agreements with the European Union that should allow them to continue moving data across borders for now, the court’s ruling could hold significant implications down the road. Data protection advocates hailed the ruling. Industry executives and trade groups, though, said the decision left a huge amount of uncertainty for big companies. They called on the European Commission to complete a new safe agreement with the United States, a deal that has been negotiated for more than two years.
It will empower data-privacy regulators in each of the bloc’s nations to evaluate how data is moved from their countries to the United States, and it will permit national authorities to impose tougher restrictions on data transfers, if they decide to. Some European officials and many of the big technology companies, including Facebook and Microsoft, tried to play down the impact of the ruling, saying side agreements with the European Union should allow the companies to continue moving data across borders.
Europe’s privacy watchdogs remain divided over how to police American tech companies. France and Germany, where companies like Facebook and Google have huge numbers of users and have already been subject to other privacy rulings, are among the countries that have sought more aggressive protections for their citizens’ personal data. Britain and Ireland, among others, have been supportive of Safe Harbor, and many large American tech companies have set up overseas headquarters in Ireland. But some of Europe’s national privacy watchdogs are expected to make it hard for large companies like Facebook to transfer Europeans’ information overseas under the current data arrangements. And the ruling appeared to leave smaller companies with fewer legal resources vulnerable to potential privacy violations.
The European Court of Justice is the highest legal authority in the European Union, and its decision cannot be appealed. “We can’t assume that anything is now safe,” Brian Hengesbaugh, a privacy lawyer with Baker & McKenzie in Chicago who helped to negotiate the original safe harbor agreement. “The ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”
At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple. Such data is valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities. At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple. Such data is hugely valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities.
Efforts to block the movement of such data across national borders could not only impose technical complexities on technology companies but could also require those companies to rethink the ways they make money in some parts of Europe. The data-transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.
The United States government had lobbied aggressively in Brussels in recent months to keep the Safe Harbor agreement in place. Frans Timmermans, the first vice president for the European Commission, which will be charged with carrying out the ruling, tried to ease the concerns of companies on Tuesday. He said businesses could still move European data to the United States through other existing treaties.
The data-transfer rules do not only apply solely to tech companies. They will affect any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online. He added that the European Commission would work with national privacy regulators to ensure that the court’s decision was carried out in a uniform fashion across the entire region.
“This is extremely bad news for E.U.-U.S. trade,” said Richard Cumbley, a tech lawyer at Linklaters in London. “Thousands of U.S. businesses rely on the Safe Harbor as a means of moving information. Without Safe Harbor, they will be scrambling to put replacement measures in place.” “Citizens need robust safeguards,” said Mr. Timmermans. “And companies need certainty.”
In its ruling, the court said that the Safe Harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. Such access infringes on Europeans’ rights to privacy established under the region’s tough data protection rules, the court said. But it was unclear how bulletproof those treaties would be under the new ruling, which cannot be appealed and went into effect immediately. Europe’s privacy watchdogs, for example, remain divided over how to police American tech companies.
“Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” the European Court of Justice said in a statement on Tuesday. France and Germany, where companies like Facebook and Google have huge numbers of users and have already been subject to other privacy rulings, are among the countries that have sought more aggressive protections for their citizens’ personal data. Britain and Ireland, among others, have been supportive of Safe Harbor, and many large American tech companies have set up overseas headquarters in Ireland.
The European Commission, the executive arm of the European Union that will be charged with carrying out the ruling, said it would hold a news conference in Brussels on Tuesday. “For those who are willing to take on big companies, this ruling will have empowered them to act,” said Ot van Daalen, a Dutch privacy lawyer at Project Moore, who has been a vocal advocate for stricter data protection rules.
After the European court made its ruling, several technology executives said they were checking with their companies’ legal teams to ensure users’ data could still be transferred outside the bloc, based on the side agreements already in place. The safe harbor agreement has been in place since 2000, enabling American tech companies to compile data generated by their European clients in web searches, social media posts and other online activities.
Facebook said on Tuesday that it was one of thousands of companies that relied heavily on the ability to share data between its European and American operations. Under the deal, more than 4,000 European and American companies had been expected to treat the information moved outside the European Union with the same privacy protections the data had inside the region. The United States government had lobbied aggressively in Brussels in recent months to keep the agreement in place.
“It is imperative that E.U. and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” Sally Aldous, a Facebook spokeswoman, said in a statement. The United States and the European Union have worked for roughly two years on a new safe harbor agreement. The court’s ruling now puts pressure on negotiators to complete an agreement, but it may also complicate matters.
The Safe Harbor data-sharing agreement has been in place since 2000, enabling American tech companies to compile data generated by their European clients in web searches, social media posts and other online activities. Any new deal had already been expected to give Europeans greater say over how their online information is collected, transferred and managed by tech companies. But the talks have stalled over what type of access to European data American intelligence agencies should be given, according to several people with direct knowledge of the matter, who spoke on the condition of anonymity.
Under the deal, more than 4,000 European and American companies have been expected to treat the information moved outside the European Union with the same privacy protections the data had inside the region. In addition, legal experts said that even if a new deal is reached, the court’s decision would would still give the national privacy regulators some say over the transfer of data.
But European privacy campaigners have contended that American rules do not offer the same data protections to individuals.
In its ruling, the European court noted that the region’s 500 million citizens did not have the right to bring legal cases in United States courts if they believed their privacy had been infringed by American companies or by the United States government. A bill to provide this legal recourse is being debated in Congress, though analysts said it was unlikely to become law before the American elections next year.In its ruling, the European court noted that the region’s 500 million citizens did not have the right to bring legal cases in United States courts if they believed their privacy had been infringed by American companies or by the United States government. A bill to provide this legal recourse is being debated in Congress, though analysts said it was unlikely to become law before the American elections next year.
The court said on Tuesday that national data protection regulators could limit data-sharing activities if they believed their citizens’ data could be used in ways not guaranteed under European law, the court said. Penny Pritzker, the American secretary of commerce, said she was disappointed about the European court’s decision, adding she would work with the European Commission to finalize the new safe harbor agreement.
Big companies like Google and Facebook might then have to store the information solely within their European operations. Those two companies already operate data centers in Europe. But smaller businesses on both sides of the Atlantic might have more trouble complying with the court order. The legal ruling “puts at risk the thriving transatlantic digital economy,” she said in a statement on Tuesday.
The ruling was foreshadowed two weeks ago, when an adviser to the court called the data pact insufficient. In anticipation of the ruling, many companies tasked teams of lawyers with figuring out how to continue their operations largely unimpeded. For large tech companies, other data transfer methods, including internal company agreements and clauses inserted into terms and conditions of service, could allow them to continue moving data to the United States. The lengthy negotiations have highlighted the different approaches to online data protection. In the United States, privacy is viewed as a consumer protection issue; in Europe, privacy is almost on a par with such fundamental rights as freedom of expression. Last year, Europe’s top court ruled that anyone with connections to the region could ask search engines like Google to remove links about themselves from online results. European campaigners said this so-called right to be forgotten ruling would help protect people’s online privacy, while many in the United States said the decision would curtail online freedom of speech.
The implications of the ruling remain unclear. Some privacy lawyers said that the court’s judgment could give national privacy watchdogs greater say over who has access to their citizens’ data and to where that information can be sent. A number of European data protection authorities, for example, have already started their own investigations into whether Facebook’s new terms and conditions violate national data protection rules. Privacy experts say such ad hoc investigations could become more frequent. Those differences became more pronounced after Mr. Snowden revealed how American and British intelligence agencies had seemingly unfettered access to people’s online activities.
“Companies may not be able to move people’s data until domestic data protection authorities give their approval,” said Marc Dautlich, a privacy lawyer at Pinsent Masons in London. “In some of Europe’s 28 countries, that is not going to be easy.”
Smaller companies, though — with fewer legal resources to comply with Europe’s tough privacy rules — may not be able to respond quickly to the decision.
The United States and the European Union have worked for roughly two years on a new Safe Harbor agreement. The court’s ruling now puts pressure on negotiators to complete an agreement.
Any new deal would be expected to give Europeans greater say over how their online information is collected, transferred and managed by tech companies. But the talks have stalled over what type of access to European data American intelligence agencies should be given, according to several people with direct knowledge of the matter, who spoke on the condition of anonymity.
Sophie Coremans, a spokeswoman for the United States mission to the European Union, declined to comment on the court’s ruling. The United States Commerce Department is expected to issue a response later on Tuesday.
DigitalEurope, a trade body that represents many American tech companies, said on Tuesday that it was disappointed by the court’s decision, which the group said might harm consumers and companies by limiting how they gain access to online services.
“We urgently call on the European Commission and the United States government to conclude their long-running negotiations to provide a new Safe Harbor agreement as soon as possible,” said Peter Olson, DigitalEurope’s president.
Before the court’s ruling, the United States mission to the European Union had criticized proposals to invalidate the trans-Atlantic data agreement, saying that it would jeopardize Europe’s business and diplomatic relations with other countries, including the United States.
The lengthy negotiations highlighted the different approaches to online data protection by the United States, where privacy is viewed as a consumer protection issue, and Europe, where it is almost on a par with such fundamental rights as freedom of expression.
Those differences became more pronounced after Edward J. Snowden, a former contractor for the National Security Agency, revealed how American and British intelligence agencies had seemingly unfettered access to people’s online activities.
“The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” the judges said in a statement on Tuesday, referring to access to European data by American intelligence agencies.“The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” the judges said in a statement on Tuesday, referring to access to European data by American intelligence agencies.
The case reviewed by the European Court of Justice related to a complaint brought by Max Schrems, a 27-year-old Austrian graduate student, who argued that Europeans’ online data was misused when Facebook was said to have cooperated with the N.S.A.’s Prism program.The case reviewed by the European Court of Justice related to a complaint brought by Max Schrems, a 27-year-old Austrian graduate student, who argued that Europeans’ online data was misused when Facebook was said to have cooperated with the N.S.A.’s Prism program.
That program is reported to have given the American agency significant access to data collected by several American tech companies, including Facebook and Google. That program is reported to have given the American agency significant access to data collected by several American tech companies. Facebook denies that the United States government had unlimited access to its users’ data.
Mr. Snowden on Tuesday, after the court ruling, posted a message on Twitter praising Mr. Schrems: ‘‘Congratulations, @maxschrems. You’ve changed the world for the better.’’Mr. Snowden on Tuesday, after the court ruling, posted a message on Twitter praising Mr. Schrems: ‘‘Congratulations, @maxschrems. You’ve changed the world for the better.’’
Mr. Schrems, who is pursuing a separate civil class-action lawsuit against Facebook in an Austrian court, said the N.S.A.’s access to information about Facebook’s users in Europe broke the region’s privacy rules. He has also argued that the data-sharing agreement between Europe and the United States does not give Europeans sufficient recourse if their data is misused by companies or national governments. In a statement on Tuesday, Mr. Schrems, who is pursuing a separate civil class-action lawsuit against Facebook in an Austrian court, praised the decision.
Facebook denies that the United States government had unlimited access to its users’ data. “Governments and businesses cannot simply ignore our fundamental right to privacy,” he said, “but must abide by the law and enforce it.”
“This judgment draws a clear line,” Mr. Schrems said in a statement released on Tuesday. “It clarifies that mass surveillance violates our fundamental rights.”
“Governments and businesses cannot simply ignore our fundamental right to privacy,” he continued, “but must abide by the law and enforce it.”