Privacy ruling in Europe a 'bombshell' for U.S. firms

October 24, 2015 at 10:14PM
-- PHOTO MOVED IN ADVANCE AND NOT FOR USE - ONLINE OR IN PRINT - BEFORE OCT. 11, 2015. -- Max Schrems, who won a landmark privacy case in the European Court of Justice, in Austria, Oct. 8, 2015. Schremsí legal campaign against Facebook began when he was a 24-year-old student studying at the Santa Clara University School of Law in California. (Sergey Ponomarev/The New York Times)
Max Schrems, who won a landmark privacy case in the European Court of Justice, in Austria. His legal campaign against Facebook began when he was a 24-year-old student. (The Minnesota Star Tribune)

An Austrian law student thought Facebook wasn't safeguarding his status updates and private chats from the spying U.S. government. So he took the company to Europe's highest court. And now thousands of U.S. companies have lost their shield against Europe's privacy police.

The Oct. 6 ruling by the Court of Justice of the European Union ended a 15-year-old agreement that enabled American companies to collect and store private data on European citizens. The decision to toss out the "Safe Harbour" agreement exposes more than 4,000 businesses, including such Minnesota giants as 3M, Ecolab and St. Jude Medical, to potential investigation by European government agencies that enforce privacy laws.

"This really was a bombshell in the world of data transfer and the ability of businesses to do what they need to do," said Mike Cohen, a principal at Gray Plant Mooty in Minneapolis, who advises companies on privacy law.

Despite that, no one expects the E.U. to set up a blockade on the transatlantic flow of data while governments and businesses scramble to work out new arrangements. But it reveals Europeans' higher expectation of privacy for the data they provide to companies, and their increasing alarm with how American businesses, knowingly or not, share it with others.

"They look at [privacy] as a fundamental right," Cohen said. "Here in the U.S., we look at data to monetize it."

Practices that Americans take for granted — mailing lists being shared, marketing pitches based on shopping behavior — are "mind-boggling" to Europeans, said William McGeveran, a law professor at the University of Minnesota. "When you talk to Europeans, they just can't believe all these businesses just swap information about what kind of customer you are."

That concern was the origin of the Safe Harbour agreement. In 2000, the E.U. decided U.S. laws did not adequately protect information on European customers, employees and others. But individual companies could certify that they would abide by European standards of data security.

McGeveran said the ruling in the Safe Harbour case is consistent with the court's 2014 decision that Europeans have a "right to be forgotten," a ruling that forced Google to delete links to information about individuals if they can show the sites are irrelevant or outdated. European countries also have government agencies, called data protection authorities, that enforce violations of privacy laws.

The current controversy began when the Austrian student, Max Schrems, was studying in California a few years ago, according to a recent New York Times profile. Schrems told the Times that a Silicon Valley executive visited his class and seemed to have little regard for Europe's laws on data privacy.

Those laws allow private citizens to get the information companies hold on them, so Schrems requested his own data from Facebook. He was shocked to find the company had a complete record of everything he had done on Facebook from the moment he registered, including data that he had deleted.

In spring 2013, Edward Snowden's revelations of massive surveillance by the National Security Agency (NSA) prompted Schrems to file a complaint against Facebook in Ireland, where its European operations are based. Schrems argued that Facebook could not keep his data safe from the NSA and other unauthorized users once it was stored on U.S. servers.

The ruling from Europe's high court made Schrems, 28, a celebrity among privacy campaigners and earned him a congratulatory tweet from Snowden.

The sensitivity to U.S. spying on Europeans is somewhat baffling, given recent moves in France and other European countries to increase surveillance of its citizens, McGeveran said.

It's also ironic that the watershed privacy ruling emerges from posts on Facebook, where "friends" feel compelled to document every meal, bike ride and goofy argument with their toddlers, rather than sensitive information handed over to a bank or medical clinic.

For all their obsession with privacy, Europeans are more accustomed than Americans to sharing certain things about themselves. Job applicants routinely offer their ages, marital status and religion to potential employers, all of which U.S. employers are prohibited from asking due to anti-discrimination laws, McGeveran said.

Meanwhile, Europeans are quite open about something that most Americans avoid in public: nudity.

"There are topless beaches all over the place," McGeveran said.

Contact James Eli Shiffer at james.shiffer@startribune.com or 612-673-4116.

A Facebook employee walks past a sign at Facebook headquarters in Menlo Park, Calif., Friday, March 15, 2013. Companies say extraordinary campuses are a necessity, to recruit and retain top talent, and to spark innovation and creativity in the workplace. And there are business benefits and financial results for companies that keep their workers happy. (AP Photo/Jeff Chiu) ORG XMIT: MIN2013050117204305 ORG XMIT: MIN1305011723443112
Schrems launched his case after he requested his data from Facebook and found the company still had data he had deleted. (The Minnesota Star Tribune)

about the writer

James Eli Shiffer

Topic Team Leader

James Eli Shiffer is the topics team leader for the Star Tribune, supervising coverage of climate and the environment as well as human services. Previously he was the cities team leader, watchdog and data editor and wrote the Full Disclosure and Whistleblower columns. 

See More