欧洲监管部门下重手,美国科技公司将无法利用欧洲用户数据
过去五年,在注重细枝末节但又必不可少的数据隐私领域中,一直在慢慢上演一场“无法避免的事故”。一位Facebook用户对美国网络监视行为的反抗,使得美国科技行业将欧洲用户的个人信息传回国内这种合法的做法被逐渐禁止。
如今,关键时刻似乎终于来临,大型科技公司将无法继续在美国处理欧洲用户的数据。
Facebook在9月9日表示,爱尔兰隐私监管部门(负责监管Facebook的所有欧洲业务)已经“暗示”Facebook将无法再利用其当前的法律机制从欧洲向美国传输个人数据,包括从姓名和电子邮箱到照片和评论等与可确定身份的欧洲个人有关的任何数据。
在此之前,《华尔街日报》(Wall Street Journal)曾经报道称,爱尔兰隐私监管部门曾经向Facebook发布了“一项暂停向美国传输欧盟用户数据的初步命令。”
欧盟的最高法院曾经在两个月前裁决,“标准合同条款”(standard contractual clauses)这种法律机制在原则上是合法有效的。然而,法院称在将欧洲人的数据发送至没有良好隐私保护的国家导致数据面临威胁的情况下,隐私监管部门可以认定应用“标准合同条款”无效。
这将影响向美国的数据传输,这一点一直以来都很清楚,因为欧盟法院(Court of Justice of the EU)做出了同样的判决,否决了美国与欧盟之间数据传输的专门机制“隐私护盾”。公司通过这种机制能够更简单并且以更低成本跨大西洋合法传输数据。
法院的理由是美国的数据监视法律,导致大型科技公司无法避免欧洲人的数据被美国情报部门掌握。无论公司为数据传输采用哪种法律机制,都存在同样的问题。
“影响深远”
Facebook的首席游说官、前英国副首相尼克•克莱格在9月9日的一篇博客中写到:“爱尔兰数据保护委员会(The Irish Data Protection Commission)已经开始调查Facebook受管制的在欧盟与美国之间的数据传输,并暗示标准合同条款可能无法再实际应用到欧盟与美国之间的数据传输。虽然此事还要经过更多流程,但按照该委员会的说法,可能对依赖标准合同条款这种机制的企业以及许多个人和企业依赖的在线服务产生深远的影响。”
克莱格认为“没有安全、合法的跨国数据传输,会妨碍欧盟的经济以及数据驱动型企业的增长。”因为企业将无法再使用位于美国的云服务提供商处理客户数据。
他甚至认为,终止美国导向的标准合同条款机制,会使服务欧洲高校和医院的电子邮件平台受到影响。但这种说法值得怀疑,因为欧盟隐私法律允许向任何地区传输数据,前提是数据传输对于履行用户和提供商之间的合同是“必要的”,而且处理电子邮件是电子邮箱服务的基本功能。
Facebook等公司现在面临的两难境地是,用户希望进行在线社交,然而跟踪用户的在线活动和编制营销资料,对于满足用户的这种需求并不是必不可少的,但对于Facebook依赖广告收入的公司业绩可能至关重要。
这并不意味着Facebook不会至少尝试将“必要性”作为另外一条法律依据,用于支持其在欧盟与美国之间传输个人数据(这将是继当前使用的标准合同条款、之前采用的隐私护盾和同样被否决的安全港协议之后的第四个法律依据)。
奥地利的年轻律师马克思•施雷姆斯为了阻止自己的Facebook数据被美国间谍利用提起了诉讼。他的抗争促使欧盟法院撤销了安全港协议和隐私护盾。他在9月10日公布了他的律师与Facebook律师之间的法律信函,揭露了Facebook调用“必要性”作为法律依据的做法。
施雷姆斯在通过电子邮件发送的一份声明中指出,爱尔兰监管部门对Facebook处理他的个人数据的做法展开了漫长的调查,目前调查只专注于Facebook标准合同条款的有效性。他说,这意味着监管部门“依旧只是在调查问题的一个方面。”
施雷姆斯表示:“Facebook似乎也希望数据保护委员只把标准合同条款作为调查重点,这样等到第三轮程序结束时,他们就可以拿出下一个法律依据。这种在法律上的‘打地鼠’游戏到现在已经持续了七年。所以我怀疑,针对Facebook的所谓命令只不过是另一个毫无用处的台阶,不会彻底解决问题。”
《财富》杂志曾经咨询爱尔兰数据保护委员会对此事的意见,但至今未收到答复。
“隐私护盾加强版”
无论Facebook能否把调查再拖延几年,如果爱尔兰数据保护委员会“暗示标准合同条款可能无法再实际应用到欧盟与美国之间的数据传输”(克莱格的原话),这对于大型科技公司而言将是一次沉重的打击。
“必要性”可能成为许多公司的救命稻草,因为许多公司除了将用户数据用于提供核心服务以外,还会用于其他目的。Facebook(及其同行)还有一线希望,即美国与欧盟达成第三版数据共享协议,取代隐私护盾。
克莱格在9月9日的博客中对欧盟和美国尝试达成“隐私护盾加强版”(他的原话)协定所做的努力表示欢迎。他写道:“双方在开展相关工作时应该认识到,欧盟成员国和美国都是民主国家,有着共同的价值观和法治精神,双方在文化、社会和商业上的联系密不可分,而且有非常类似的数据监控权力和规范。”
但这两个贸易伙伴并没有类似的数据保护法律。否则,欧盟委员会可以简单地认定美国的隐私保护制度是“充分的”(类似于欧盟委员会对加拿大和日本的评价),而且美国公司也不需要为它们的数据传输努力寻找其他法律依据。
事实上,除了医疗领域以外,美国并没有联邦数据隐私法律,美国的情报部门有广泛的自由裁量权,可以对外国人的通信进行监听,而对于在美国境内的这种监听行为,欧洲人没有有效的投诉途径。
除非这种情况发生改变,否则所谓的“隐私护盾加强版”不太可能出现,而且隐私护盾和安全港在欧盟法院两次碰壁之后,欧盟委员会不太可能支持一项在法律上漏洞百出的协议。正如欧盟的司法事务专员迪迪埃•雷恩德斯不到一周前所说的那样,这方面不会有“快速解决的办法”。
这一切都表明关键时刻终于来临,而且这不只是针对美国科技企业,其他国家的企业同样将面临考验。这些企业一方面渴望利用欧洲人的个人数据,但本国却执行了具有侵略性的数据监控。(财富中文网)
翻译:刘进龙
审校:汪皓
过去五年,在注重细枝末节但又必不可少的数据隐私领域中,一直在慢慢上演一场“无法避免的事故”。一位Facebook用户对美国网络监视行为的反抗,使得美国科技行业将欧洲用户的个人信息传回国内这种合法的做法被逐渐禁止。
如今,关键时刻似乎终于来临,大型科技公司将无法继续在美国处理欧洲用户的数据。
Facebook在9月9日表示,爱尔兰隐私监管部门(负责监管Facebook的所有欧洲业务)已经“暗示”Facebook将无法再利用其当前的法律机制从欧洲向美国传输个人数据,包括从姓名和电子邮箱到照片和评论等与可确定身份的欧洲个人有关的任何数据。
在此之前,《华尔街日报》(Wall Street Journal)曾经报道称,爱尔兰隐私监管部门曾经向Facebook发布了“一项暂停向美国传输欧盟用户数据的初步命令。”
欧盟的最高法院曾经在两个月前裁决,“标准合同条款”(standard contractual clauses)这种法律机制在原则上是合法有效的。然而,法院称在将欧洲人的数据发送至没有良好隐私保护的国家导致数据面临威胁的情况下,隐私监管部门可以认定应用“标准合同条款”无效。
这将影响向美国的数据传输,这一点一直以来都很清楚,因为欧盟法院(Court of Justice of the EU)做出了同样的判决,否决了美国与欧盟之间数据传输的专门机制“隐私护盾”。公司通过这种机制能够更简单并且以更低成本跨大西洋合法传输数据。
法院的理由是美国的数据监视法律,导致大型科技公司无法避免欧洲人的数据被美国情报部门掌握。无论公司为数据传输采用哪种法律机制,都存在同样的问题。
“影响深远”
Facebook的首席游说官、前英国副首相尼克•克莱格在9月9日的一篇博客中写到:“爱尔兰数据保护委员会(The Irish Data Protection Commission)已经开始调查Facebook受管制的在欧盟与美国之间的数据传输,并暗示标准合同条款可能无法再实际应用到欧盟与美国之间的数据传输。虽然此事还要经过更多流程,但按照该委员会的说法,可能对依赖标准合同条款这种机制的企业以及许多个人和企业依赖的在线服务产生深远的影响。”
克莱格认为“没有安全、合法的跨国数据传输,会妨碍欧盟的经济以及数据驱动型企业的增长。”因为企业将无法再使用位于美国的云服务提供商处理客户数据。
他甚至认为,终止美国导向的标准合同条款机制,会使服务欧洲高校和医院的电子邮件平台受到影响。但这种说法值得怀疑,因为欧盟隐私法律允许向任何地区传输数据,前提是数据传输对于履行用户和提供商之间的合同是“必要的”,而且处理电子邮件是电子邮箱服务的基本功能。
Facebook等公司现在面临的两难境地是,用户希望进行在线社交,然而跟踪用户的在线活动和编制营销资料,对于满足用户的这种需求并不是必不可少的,但对于Facebook依赖广告收入的公司业绩可能至关重要。
这并不意味着Facebook不会至少尝试将“必要性”作为另外一条法律依据,用于支持其在欧盟与美国之间传输个人数据(这将是继当前使用的标准合同条款、之前采用的隐私护盾和同样被否决的安全港协议之后的第四个法律依据)。
奥地利的年轻律师马克思•施雷姆斯为了阻止自己的Facebook数据被美国间谍利用提起了诉讼。他的抗争促使欧盟法院撤销了安全港协议和隐私护盾。他在9月10日公布了他的律师与Facebook律师之间的法律信函,揭露了Facebook调用“必要性”作为法律依据的做法。
施雷姆斯在通过电子邮件发送的一份声明中指出,爱尔兰监管部门对Facebook处理他的个人数据的做法展开了漫长的调查,目前调查只专注于Facebook标准合同条款的有效性。他说,这意味着监管部门“依旧只是在调查问题的一个方面。”
施雷姆斯表示:“Facebook似乎也希望数据保护委员只把标准合同条款作为调查重点,这样等到第三轮程序结束时,他们就可以拿出下一个法律依据。这种在法律上的‘打地鼠’游戏到现在已经持续了七年。所以我怀疑,针对Facebook的所谓命令只不过是另一个毫无用处的台阶,不会彻底解决问题。”
《财富》杂志曾经咨询爱尔兰数据保护委员会对此事的意见,但至今未收到答复。
“隐私护盾加强版”
无论Facebook能否把调查再拖延几年,如果爱尔兰数据保护委员会“暗示标准合同条款可能无法再实际应用到欧盟与美国之间的数据传输”(克莱格的原话),这对于大型科技公司而言将是一次沉重的打击。
“必要性”可能成为许多公司的救命稻草,因为许多公司除了将用户数据用于提供核心服务以外,还会用于其他目的。Facebook(及其同行)还有一线希望,即美国与欧盟达成第三版数据共享协议,取代隐私护盾。
克莱格在9月9日的博客中对欧盟和美国尝试达成“隐私护盾加强版”(他的原话)协定所做的努力表示欢迎。他写道:“双方在开展相关工作时应该认识到,欧盟成员国和美国都是民主国家,有着共同的价值观和法治精神,双方在文化、社会和商业上的联系密不可分,而且有非常类似的数据监控权力和规范。”
但这两个贸易伙伴并没有类似的数据保护法律。否则,欧盟委员会可以简单地认定美国的隐私保护制度是“充分的”(类似于欧盟委员会对加拿大和日本的评价),而且美国公司也不需要为它们的数据传输努力寻找其他法律依据。
事实上,除了医疗领域以外,美国并没有联邦数据隐私法律,美国的情报部门有广泛的自由裁量权,可以对外国人的通信进行监听,而对于在美国境内的这种监听行为,欧洲人没有有效的投诉途径。
除非这种情况发生改变,否则所谓的“隐私护盾加强版”不太可能出现,而且隐私护盾和安全港在欧盟法院两次碰壁之后,欧盟委员会不太可能支持一项在法律上漏洞百出的协议。正如欧盟的司法事务专员迪迪埃•雷恩德斯不到一周前所说的那样,这方面不会有“快速解决的办法”。
这一切都表明关键时刻终于来临,而且这不只是针对美国科技企业,其他国家的企业同样将面临考验。这些企业一方面渴望利用欧洲人的个人数据,但本国却执行了具有侵略性的数据监控。(财富中文网)
翻译:刘进龙
审校:汪皓
A slow-motion train wreck has been unfolding over the past half-decade in the wonkish but fundamental field of data privacy, as one Facebook user's crusade against U.S. surveillance practices has slowly closed off the American tech industry's legal options for importing European users' personal information.
Now it looks like the moment of impact is finally about to arrive, leaving Big Tech unable to process European users' data in the U.S.
Facebook said on September 9 that the Irish privacy regulator (which governs all of Facebook's European activities) has "suggested" it will no longer be able to use the legal mechanism it currently uses to make Europe-to-U.S. transfers of personal data—that is, any data that can be connected with an identifiable person in Europe, from names and email addresses to photos and comments.
This followed a Wall Street Journal report that said the watchdog had hit Facebook with "a preliminary order to suspend data transfers to the U.S. about its EU users."
The EU's top court ruled a couple of months ago that the legal mechanism, known as "standard contractual clauses" or SCCs, is in principle legally valid. However, it said the use of SCCs can be invalidated by privacy regulators in cases where Europeans' data is made vulnerable by sending it to a country without good privacy protections.
It was always clear that this was likely to affect transfers to the U.S., because the same ruling—by the Court of Justice of the EU (CJEU)—struck down a separate, specifically U.S.-EU arrangement called Privacy Shield, which gave companies a simpler and cheaper way to keep their transatlantic transfers legal.
The court's reasoning was that U.S. surveillance laws make it impossible for Big Tech to keep Europeans' data out of the hands of U.S. intelligence agencies. The same problem applies whatever legal mechanism companies are using for those transfers.
“Far-reaching effect”
"The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-U.S. data transfers, and has suggested that SCCs cannot in practice be used for EU-U.S. data transfers," Facebook's chief lobbyist, the former U.K. deputy prime minister Nick Clegg, wrote in a September 9 blog post. "While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on."
Clegg argued that "a lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU," because they will no longer be able to use U.S.-based cloud providers to process their customers' data.
He even suggested the end of U.S.-oriented SCCs would impact email platforms that service European universities and hospitals. This is a questionable claim, because EU privacy law allows data transfers to anywhere as long as they are "necessary" to fulfill the contract between the user and provider—and the processing of emails is pretty fundamental for an email service.
The dilemma for a company such as Facebook is that its users want to socialize with one another online, but the tracking of their online activities and compilation of their marketing profiles are arguably not strictly necessary for making that happen—crucial as they may be for Facebook's ad-fueled bottom line.
However, that doesn't mean Facebook isn't at least trying to invoke "necessity" as yet another legal basis for its EU-U.S. personal-data transfers (the fourth, after its current use of SCCs and its previous reliance on Privacy Shield and its also-struck-down predecessor agreement, Safe Harbor).
Max Schrems, the young Austrian lawyer whose legal quest to protect his Facebook data from U.S. spies led to the CJEU's cancellation of Safe Harbor and Privacy Shield, revealed Facebook's invocation of "necessity" on September 10, when he published legal correspondence between his lawyers and Facebook's.
In an emailed statement, Schrems noted that the Irish watchdog's long-running investigation into Facebook's processing of his data is currently focusing only on the validity of Facebook's SCCs. He said this meant the regulator was "again only investigating one slice of the problem."
"Facebook seems to want the DPC to only focus on the SCCs as well, so that they can just pull out the next legal basis at the end of this third round of the procedure. This legal edition of 'whac-a-mole' has been ongoing for seven years now," Schrems said. "I therefore suspect that the alleged order against Facebook is another useless step that will not solve the issue fully."
Fortune has reached out to the Irish Data Protection Commission for comment, but has so far received none.
“Privacy Shield Plus”
Whether or not Facebook manages to drag out its own investigation for another few years, if the Irish Data Protection Commission has "suggested that SCCs cannot in practice be used for EU-U.S. data transfers" (Clegg's words) then that really would be a blow for Big Tech.
The "necessity" argument may be clutching at straws for companies that, as many do, use their customers' data for other purposes than the core services they provide. Facebook's (and its peers') one remaining hope would be the striking of a third U.S.-EU data-sharing deal, to replace Privacy Shield.
In his September 9 post, Clegg welcomed the fact that the EU and U.S. sides are both trying to make a "Privacy Shield Plus" (again, his words) happen. "These efforts will need to recognize that EU Member States and the U.S. are both democracies that share common values and the rule of law, are deeply culturally, socially and commercially interconnected, and have very similar data surveillance powers and practices," he wrote.
But the two trading partners don't have similar data-protection laws. If they did, the European Commission could easily decide the U.S. privacy regime is "adequate" (as it has with Canada and Japan) and American companies wouldn't need to be scrambling for other legal bases to underpin their data transfers.
The fact remains that the U.S. has no federal data-privacy law outside of the medical arena; its intelligence agencies retain broad discretion to spy on the communications of foreigners; and Europeans have no meaningful way to complain about that spying in the U.S.
Unless all this changes, it's deeply unlikely that a "Privacy Shield Plus" could fly—and, after two humiliations at the CJEU over Privacy Shield and Safe Harbor, the Commission is unlikely to support a deal that isn't legally watertight. As EU Justice Commissioner Didier Reynders said less than a week ago, there will be "no quick fix" on this front.
All of which suggests that the moment of truth is finally almost here—and not only for U.S. tech firms, but also for those in other countries, which are keen to use Europeans' personal data but have invasive surveillance practices to contend with back home.
