What the EU’s safe harbor verdict means for platforms, brands — and you

Mainstream news has been peppered with headlines on Europe’s top court ruling “safe harbor” as invalid Tuesday, suggesting tech giants like Facebook and Google are under threat, and throwing data privacy concerns front and centre of the collective conscious.

If your legal jargon isn’t up to scratch, here’s what the ruling means.

Wait, what is the Safe Harbor agreement?
In 2000 the Safe Harbor agreement was established between Europe and America allowing the movement of data, anything from social media information to payroll details, between the continents without extra regulation.

Prior to this many countries, including the U.S., were found by EU authorities to not adequately protect the data of European individuals. Safe Harbor meant companies — including the likes of Microsoft, Apple, Facebook and over 4,000 more — could transfer, process and store data in the outside of Europe if the companies agreed to stricter data protection.

Makes sense in a global economy. So what has changed?
Exposure of U.S. government mass surveillance. When Edward Snowden exposed how companies like Facebook weren’t adequately protecting European users’ data in 2013, people wised up about their online privacy.

This sparked many to take more of an interest in how their data is being used by companies. One particularly zealous Austrian privacy advocate, Maximilian Schrems, filed a charge against Facebook questioning the American company’s compliance with EU rules. This scaled to the European Court of Justice (ECJ, Europe’s highest court) which announced Tuesday that the Safe Harbor agreement did not eliminate the need for local privacy watchdogs to ensure U.S. companies are taking adequate data protection measures. Hence the verdict ‘invalid.’

So what now, who’s breaking the law?
Potentially lots of companies, though Facebook has denied any wrongdoing. But Tuesday’s ruling doesn’t end the personal transfer of data, it just rules that national regulators are able to investigate companies and suspend them if they aren’t providing enough protection when storing or transferring data outside of Europe. This will likely trigger more investigations.

Who are the winners here?
The people! Privacy advocates are hailing the result as a breakthrough for people’s rights.

Schrems’ initial response to the ruling champions the free Web, saying that it’s a “milestone when it comes to online privacy. This judgement draws a clear line. It clarifies that mass surveillance violates our fundamental rights.”

The World Wide Web Foundation, established in 2009 by Web inventor Sir Tim Berners-Lee, echoes this in a statement that said the ruling “puts people’s fundamental right to privacy before profit.”

Snowden is very happy too.

Snowden

Much coverage is taking the line that this will be a blow for tech giants who for so long relied on Safe Harbor — including Google, Facebook, Yahoo and others — and that the exposure will shake consumer trust in how they handle data.

Surely tech giants saw this coming?
They did see this coming, and so did many people In fact the verdict of Tuesday’s ruling doesn’t seem like much of a surprise to anyone.

“We’ve known for years that safe harbor was flimsy and not that stringent,” said Eitan Jankelewitz, who works at specialist law firm Sheridans, “now it’s been finally tested to that effect.”

In fact, since the NSA’s exposed surveillance these big tech firms have been pushing U.S. government to reform laws pertaining to people’s data.

Many of these companies have had legal teams working behind the scenes updating privacy settings and drafting up alternative workarounds to Safe Harbor that will allow them to store and transfer data out of the EU lawfully.

So who are the real losers
Unfortunately this will hit small to medium sized companies the hardest, those who don’t have the resources to either draft up these extra legal documents, or to move their data into European-approved storage.

“Companies will have more responsibility to show where there data is,” explains Jim Kinsella, founder of cloud storage company Zettabox, who said that this will trigger more lawsuits “and companies will be put on incredibly high alert for fear of being sued.” Smaller enterprises are unlikely to be able to effectively fend off this legal action.

So does this mean I can’t see the Facebook updates of my French friends now?
No, people will continue to use Facebook and Facebook will continue to store data, but individuals now have the right to question how it’s being protected.

Really it’s unlikely to have much impact on the everyday user’s Internet activity. Those in Europe will probably see more privacy policies being updated, and requests as to whether they mind their data being taken outside of Europe, but this is a risky strategy for a company to take as citizens can easily request to withdraw that data, leaving them stumped.

How will this decision disrupt U.S. tech companies?
There is a fear that this will lead to fragmentation with certain countries allowing data to go to the U.S. while others don’t.

The ruling will hit U.S. cloud storage companies like Amazon, Box and Dropbox, who many European companies rely on to store their data. They can either continue using these companies and risk legal action, or they can seek EU-based cloud storage companies. It’s almost certain that the dominance of U.S. cloud storage companies will subside.

Should brands that advertise on these platforms be concerned?
Probably not, even though the transfer of data used to target Internet users will be impacted by this, the major players will have workaround mechanisms in place.

“Online advertising will not be affected by the specific ruling,” said Mark Roy, chairman of data agency, REaD Group, because of cookies. “A cookie consent is a consumer providing an individual’s consent to a company to hold data on them to provide tailored advertising — for the record the industry norm is only hold this data for 26 days. Any data held beyond that point might fall foul of the relevancy criteria and could get wrapped up in this new ruling.”

And even Schrems admits that “despite some alarmist comments I don’t think that we will see mayor disruptions in practice.”

So what’s next?
There’s a lot of legal uncertainty, for sure, and people are looking towards national trade bodies, the European Commission and the U.S. government to come up with a reformed Safe Harbor 2.0.

In the interim frameworks need to be put in place to encourage the development and progression of the free Web through data transfer so companies and economies can grow, while still protecting the right and privacy of individuals. The verdict has made clear that mass surveillance is not an acceptable byproduct of the Internet.

https://digiday.com/?p=139273

More in Media

Media Briefing: Publishers search for new ways to grow (and authenticate) audiences, overheard at the Digiday Publishing Summit

“[Advertisers] already pay data providers for data. So why not pay the publisher?”

Research Briefing: Publishers’ revenue sources are top of mind at Digiday Publishing Summit

In this week’s Digiday+ Research Briefing, we examine which revenue streams were top of mind for publishers at the Digiday Publishing Summit, how TikTok is getting even more marketing spend from brands and retailers despite facing a potential U.S. ban, and how Disney is rolling out DRAX Direct, a direct integration with the industry’s largest DSPs, as seen in recent data from Digiday+ Research.

How Forbes is testing its SSPs to improve programmatic ad revenue

Forbes has been running tests with its SSPs to improve the ad tech firms’ contributions to the publisher’s revenue.