My Internet browser has a gizmo that shows the flag of the country hosting the website I’m currently viewing. Lately, many of the U.S. websites I visit display the tricolor flag of the Republic of Ireland. That means the servers that host the information I’m viewing — and the information those servers are gathering about me — are located on the Emerald Isle.
That’s very much by design. Ireland is in the European Union, where privacy rules are much stronger than in the so-called Land of the Free. Ever since Edward Snowden’s bombshell revelations about U.S. government spying on Internet users, big U.S. data companies such as Facebook, Google, Microsoft and Apple have transferred server capacity to places such as Ireland and Norway, out of reach of U.S. courts. That’s because they knew that both European and U.S. users would eventually realize that U.S. servers aren’t safe, and would stop doing business with them.
But the U.S. government seems to think its laws apply to everyone on the planet. For the last year, it’s sought a court order to force Microsoft to hand over private emails from a European customer accused of drug trafficking in the U.S. Microsoft has so far refused, arguing that the servers containing the emails are subject to Irish law. But Obama’s Department of Justice hasn’t backed down. It says that since Microsoft has control over the servers, it’s subject to U.S. law.
This is precisely why a courageous Austrian lad by the name of Max Schrems sued Facebook in the European Union Court of Justice, rightly claiming that the company’s inability to guarantee the privacy of his data from U.S. spies violated EU law. Even though Facebook’s servers were in Ireland, he argued, it was clear that the company was vulnerable to U.S. legal demands. Essentially, he argued that the “Safe Harbor” agreement between the U.S. and Europe was worthless, and now he has been proven right.
The decision to invalidate Safe Harbor was long overdue. Everyone on both sides of the Atlantic knows that American companies can’t guarantee the safety of anyone’s data from U.S. government eavesdropping. Even worse, those companies aren’t allowed to tell customers when their information is accessed by U.S. law enforcement or spy agencies. In some cases, they aren’t even aware that Uncle Sam is doing so.
The ruling will be devastating for American data companies with operations in Europe. Absent a change in U.S. practices, their only hope is to set up legally separate companies with completely separate infrastructure in Europe — a highly expensive and complex proposition. Even then, it’s quite likely that European courts will hold that any connection at all between U.S. and European companies — say, common shareholding and boards of directors — will render them noncompliant with EU law. French courts have already made such rulings.
Congratulations, Uncle Sam. You’re destroying one of the central pillars of what’s left of the U.S. economy.
Clearly, there are still countries that understand privacy is an essential right to be protected, not violated whenever it’s easier to do so — an idea that seems increasingly alien to the U.S.