Eric Schmidt, chairman of Google parent company Alphabet, has hit out at a decision by Europe’s top court to strike down a EU-US data-sharing agreement, reportedly claiming that it risks destroying the global internet, “one of the greatest achievements of humanity.”
Re/code has managed to get its hands on a recording of the American businessman addressing the Internet Association trade group.
Schmidt reportedly said he was “very worried” by the European Court of Justice’s (ECJ) revocation of the Safe Harbour decision.
The end of Safe Harbour
Safe Harbour, created in 2000, was a way to facilitate the easy transfer of data about people between the US and the EU, and unify their disparate regulatory regimes. It meant an American company — like Google, or Facebook, or Twitter — could legally take data about its European users out of the continent when required, and didn’t have to worry about complying with twenty-plus different sets of legislation.
But following Edward Snowden’s revelations about US government surveillance, Austrian activist Max Schrems brought a case against Facebook, alleging it failed to adequately protect its users’ data. The case ended up in the European Court of Justice, and earlier this month, the court ruled that Safe Harbour was invalid.
4,5000 companies — not just tech startups — relied on Safe Harbour, and this decision throws them into legal limbo. There are other ways to legitimise the Transatlantic transfer of data, but Safe Harbour was the most straightforward.
Now a company like Google or Facebook could face dozens of different regulatory regimes across Europe. Some countries could even rule that data on its citizens cannot be transferred to the US, and must be held in data centres within their borders.
According to Re/code, Schmidt said this localised regulation could create “per-country-Internets.”
“If that occurs,” he said, “we would lose one of the greatest achievements of humanity.”
A Balkanized internet?
Russia is arguably a blueprint for what Schmidt fears. In September 2015, a new data law came into effect in the country, requiring all foreign companies to hold data on its citizens on servers within the country. “In two years we may get a completely different Internet,” Russian investigative journalist Andrei Soldatov told Business Insider in January 2015. “It might be a collection of Intranets instead of one Internet. Actually I think it’s very possible.”
We may already be beginning to see this Balkanisation in Europe. The Register reports that one German data regulator (ULD) claims that only a change in US law is sufficient to make the transfer of data legal. Any companies that use alternative methods to try and legitimise transfers could be fined up to €300,000.
Jim Killock, executive director of British digital rights organisation Open Rights Group recognises there’s an issue — but says it’s the US government that is at fault. “Yes, there is a problem if Europe and the USA can’t work out a way to respect each other’s legal systems,” he told Business Insider in an email.
“But the heart of the matter is that the US government, knowing that their Silicon Valey industries were hosting the world’s data, decided they would use this for global surveillance. They have gambled with their industry’s future, and ignored the fundamental rights of non-US citizens.”
Killock added: “EU Courts can’t ignore the rights of citizens even if domestic governments do. The [ECJ] may be forcing the hand of the US to change the way they conduct unimpeded surveillance but it is hard to see what else it can be expected to do.”
Google’s letter to customers
GitHub user botic has shared online what seems to be a letter from Google to its Google Cloud Platform customers, informing them of the ECJ’s ruling and trying to assuage concerns. It says that it has “been actively working on adopting Model Contract Clauses (MCCs) for the transfer of personal data from the EU to the US. We already have MCCs as an option for Google Apps for Work customers, and in light of the ruling, we are accelerating our MCC efforts for Google Cloud Platform.”
The implication here is that Google does not currently use model contract clauses to legitimise the transfer of data, potentially opening Google up to potential legal action from data regulators. Google declined to comment.
But even these model contract clauses could not protect Google from legal trouble, if German data regulator ULD gets its way — reform of US law is the only thing that can legitimise the transfer, it argues.
Here’s the full letter, via GitHub:
Please note this email is relevant to you only if you are using Google Cloud Platform to process personal data and European Data Protection laws apply to that processing.
Hello Google Cloud Platform Customer,
The recent ruling by the Court of Justice of the European Union (CJEU) declaring the European Commission’s decision on US-EU Safe Harbour framework to be invalid is an important development in the area of data protection. You can expect our full support as we work together to address this development, as there is nothing more important to us than your trust, privacy and security. We are awaiting more information from the European Commission (EC) and data protection authorities regarding their responses to the court decision.
The European Commission and the US have been actively working on a revised Safe Harbour agreement that should address these concerns, but they were unable to finalise the new agreement prior to the court ruling. Both have indicated that they want to finalise the new Safe Harbour framework as soon as possible. Additionally, we have been actively working on adopting Model Contract Clauses (MCCs) for the transfer of personal data from the EU to the US. We already have MCCs as an option for Google Apps for Work customers, and in light of the ruling, we are accelerating our MCC efforts for Google Cloud Platform.
We will update you in the coming weeks on further developments in this area. We appreciate you placing your trust in us.
The Google Cloud Platform team
© 2015 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043 You have received this mandatory email service announcement to update you about important changes to Google Cloud Platform or your account.