Blame Snowden

Imagine a world where Facebook, Twitter and WhatsApp were not even ideas in their creators’ minds; a time when telephones were used only for voice calls or messages of 140 characters, and when Google had only been on the market for two years, still promising not to do harm. At that time, in the year 2000, the European Union still recommended anonymization techniques to protect citizens’ privacy. It still thought that the Safe Harbor Privacy Principles were part of a pact between gentlemen that improved technological development and allowed for a faster exchange of data with the U.S. than with any other country.*

Then came the attacks of Sept. 11 and with them, the indiscriminate interception of data. Under the premise that anyone could become a terrorist, no one remained free from scrutiny. That’s why, for the sake of global security, everyone was investigated and the EU bowed to new data needs. We were like that for years, suspecting that the application of the USA Patriot Act depended on the collaboration of large Internet-based businesses. Edward Snowden arrived and confirmed that. When he revealed the extent and seriousness of the espionage, the European Commission finally reacted. In 2013, it questioned whether the application of the safe harbor effectively protected the data of European citizens, not only from businesses that used the information but also from the United States administration itself. The rulings made by the European Court of Justice following Snowden’s communication have paved the way toward demanding control of the state’s power of investigation (the annulment of the Data Retention Directive) and the submission of American technologies to European laws (the right to be forgotten in the Google case).

The ruling issued yesterday established that the personal information of European citizens stored by American businesses is not subject to the same level of protection as that provided in the EU in adherence to the Safe Harbor directive. For that reason, the national data protection authorities have the right to suspend the use of information by these businesses if they suspect that European standards are not being met. Paraphrasing the commission, the ruling highlights that all of the entities that were part of the National Security Agency’s program that Snowden uncovered were on the safe harbor list.

In light of this situation, the ruling considers the directive obsolete and establishes a simple principle that has the potential to strike at the vulnerable part of the largest technology companies: the ability of national data protection authorities to suspend the use of the safe harbor system, and thus the transfer of data, if a citizen claims that the practices of that country or business fail to meet the European levels of data protection. The ruling grants jurisdiction over American businesses that have Europeans’ data. This is equivalent to subjecting these businesses to European legislation, something that was already addressed in the verdict in the case dealing with the right to be forgotten.

If data is the new petroleum, many businesses will either have to follow the European norms or pull over onto the shoulder.

* Editor’s note: The Safe Harbor Privacy Principles, developed by the U.S. Department of Commerce, were a streamlined process that U.S. companies used to comply with an EU directive on the protection of personal data.