Social media and tech companies cannot seem to catch a break in European Union courts. Previously, Europe has riled Microsoft over monopolistic concerns, has repeatedly rebuffed Google about the right to be forgotten, and has now ruled that tech companies cannot move data to the U.S. for processing. This may seem technical, but the ruling has large implications for data, privacy, and surveillance in Europe and beyond.
The most recent case stems from a lawsuit pursued by Max Schrems, an Austrian graduate student who filed suit with the European data protection commissioner to bar Facebook from sending his personal data to the United States, due fears of violation of his privacy stemming from Facebook's cooperation with the National Security Agency's mass surveillance programs.
Before the ruling, it was common practice for United States-based tech companies with interests in Europe to send data gathered there to the United States for processing. For example, according to Hal Hodson in the New Scientist, "Apple's new privacy policy explicitly states that personal data collected for its iCloud service in the European Economic Area is shipped to Apple Inc in the US for processing via Cork in Ireland."
This data transfer was legal under a "Safe Harbor" law/agreement between the EU and the US that, until now, had been standing for 15 years. It is unknown if this ruling completely overturns or simply weakens "Safe Harbor." According to Sam Thielman in the Guardian, "businesses that operate in Europe must now make sure they are compliant with the EU's own laws before they subject their customers' personal information to laxer restrictions in the US."
Advertisers are freaking out, naturally, as they rely on that data to target and individualize advertisement for customers. Without it, they will have to make ad buys blind. Additionally, while this is a blow to businesses working in Europe, many of them planned for just such a ruling. Thielman notes that "tech giants such as Facebook, Apple and Google have long planned for a loss and are likely to fall back on their own user agreements ... or use their own legal status within Europe to circumnavigate the ruling."
Smaller companies, however, are in a tougher position, without the clout or resource to quickly react and adjust to the ruling.
Finally, because almost all of the data going across the Atlantic is transferred through Ireland, the impact of the ruling must also be assessed by the Irish Data Protection Commission. Whether this means a real end to data transfers, an investigation into tech companies' data collection practices, or a compromise that will keep the data flowing while maintaining the privacy of European citizens, remains to be seen.