Three years ago, I called Max Schrems, a then 24-year-old law student, the "Austrian thorn in Facebook's side." Since then, he has only dug deeper into the social network's skin, and this week, he became a thorn in the side of every American company operating in Europe. He got Europe's top court to strike down the decades-old Safe Harbour agreement between the E.U. and the U.S., an outcome that had been described as a "Doomsday scenario" by a business group talking to Fortune.
"The most significant repercussion of this ruling is that American companies, such as Facebook, Google, and Twitter, may not be allowed to send user data from Europe back to the US," writes Ars Technica. "The courts in each EU member state can now rule that the Safe Harbour agreement is illegal in their country."
Schrems, now 28 and a lawyer, became radicalized on privacy issues while spending a semester abroad at a California law school in 2011. When a Facebook privacy lawyer came in to talk to his class, Schrems was so shocked by the lawyer’s misunderstanding of privacy law in Europe that he decided to write his thesis about it when he returned to Austria. His thesis evolved into a non-profit, called Europe vs. Facebook, and for the last few years, he has been hammering Facebook with legal complaints, filed with the Irish Data Protection Agency (because Facebook's European headquarters are there) and in higher appeals courts. In 2012, after Facebook had lauched a new facial recognition feature for tagging friends in photos, Schrems won a case that forced Facebook to dump Europeans' faceprints. Since the case, both Facebook and Google have held back from launching facial recognition-based search products in Europe.
Schrems had filed the current Safe Harbor suit in response to the Snowden revelations, saying they proved that the data Facebook had on him was not being "safely harbored" in the U.S. The Court of Justice for the European Union agreed with him, and has now opened the door for every country in Europe to force American companies to store data about their citizens within the continent, rather than shipping it to a data server elsewhere as companies usually do. Snowden was among those who congratulated Schrems on Twitter.
"This decision is a major blow for US global surveillance that heavily relies on private partners," said Schrems in a press release. "The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights."
Facebook, meanwhile, wants to make clear that the judgment isn't aimed only at them and that they have other options for shipping data around. “This case is not about Facebook," said a spokesperson by email. “What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor.”
Privacy expert Omer Tene says companies can still rely on other special agreements that have been reached by the US and EU to send data outside of borders, namely binding corporate rules—which are essential global privacy policies that companies have to work out in each country—and standard contractual clauses—which allow for one-off data transfers.
Schrems tried to temper the business freak-out that will come from the ruling, saying that this won't stop the flow of European data to the U.S. but will allow data protection agencies to review individual cases, rather than giving companies the "blanket allowance" allowed under the Safe Harbor regime. "Despite some alarmist comments I don’t think that we will see major disruptions in practice," said Schrems.
At the same time that Schrems's case could lead to American companies storing Europeans' data in European data servers, the U.S. Department of Justice is fighting a case against Microsoft that says it shouldn't matter where data is stored. The DOJ is arguing it has the right to demand the emails of anyone in the world, from anywhere in the world, as long as they are stored with a U.S. provider. That case is making its way through federal courts here in the U.S.
It's been a rough fall for tech companies in Europe. Last month, France ruled that Google must grant the "right to be forgotten" to its citizens globally, not just scrubbing the searches conducted within France. It's unclear if Google is going to comply with the ruling. "As a matter of principle, we respectfully disagree with the idea that a single national Data Protection Authority should determine which webpages people in other countries can access via search engines," a Google spokesperson told me last month.
For years, data has flowed online relatively freely. We believed that there were no borders when it came to the Internet. It was one big "global village." But, increasingly, that is not the case. Individual countries want their laws to be built into the Internet. Citizens like Schrems want the more stringent privacy protections of their home countries to apply even when they're using an Internet service built in a country with less powerful privacy laws. It is an incredible battle of wills to watch, and it is not going to stop anytime soon.