EU pressure on Facebook
October 5, 2015Do you know where your Facebook, Google or Twitter data are stored? Do you care? Or is it a stupid question?
From a technical point of view, it's probably the latter, if one considers the way the Internet works. Because of global technical standards for data exchange and fast Internet connections, in practice it doesn't matter whether a German user's data are stored on servers in Germany, Scandinavia, Ireland, or the US. In the blink of an eye, data can move tens of thousands of kilometers along optical fibers. That's the nature of the beautiful new Internet world.
But is it really so beautiful? Data privacy activists say 'no.' They've long been concerned about the fact that technology makes it so easy to get around data privacy regulations. The deciding factor is where the data are stored and processed - and in that regard, big players like Facebook, Google and others prefer the cheapest solution: Data from all countries are stored on servers located in the homeland of most such companies - the US (picture at top of page: a Google server farm in Oregon).
As a result, the data are governed by American data privacy regulations - and those regulations are significantly less stringent than those in the European Union. Moreover, US intelligence agencies like the NSA (National Security Agency) have very easy access to data on US servers.
'Safe Harbor' - 15 years of window-dressing?
To date, politicians and regulators have turned a blind eye to this issue. They've simply pretended that European and US data privacy laws and regulations have been equivalent. "Safe Harbor" is the name of an agreement struck 15 years ago which made data exchanges between the US and EU countries routine and barrier-free for Internet companies.
Now, however, the Safe Harbor agreement could be overturned by the European Court of Justice (ECJ). The court's Advocate General, Yves Bot, released his legal opinion on the matter two weeks ago. He concluded that the US does not provide sufficient protection for the privacy of EU citizens' data. Bot was particularly critical of surveillance by US intelligence agencies.
Bot's legal opinion is not binding on the ECJ, but its justices generally do follow their Advocate General's recommendations. If that turns out to be what they do in this case, it would present Facebook, Google and other American internet companies with a big problem.
How might US Internet companies react?
The companies could react in several different ways. In one scenario, they could take steps to follow the new data privacy rules that emerge, and make sure that European users' data are only stored on European servers. That's theoretically doable - Facebook, for example, has farmed out its European business to a subsidiary in Ireland in any event. Legally, the Irish subsidiary is responsible for the data of all European Facebook users.
In technical terms, however, it would be necessary to rewire a great deal of the networks running in the background, in order to prevent European users' data from being stored in the USA - an expensive and messy proposition.
Another option for Facebook would be for the company to formally withdraw from Europe, wind down its Irish subsidiary, and invite users to make use of the US-based resources of the company. That would result in arm-wrestling between Facebook and the EU Commission, which under this scenario would in theory be obliged to take action to enforce data security for European users.
Who's going to be stuck with unwelcome consequences - Facebook or the EU?
Under a third scenario, Facebook would ask all its European users to sign off on a user agreement that expressly allows Facebook to store their personal data in the USA. Those who don't agree would be barred from Facebook. In light of the growing number of Facebook addicts who get antsy if Facebook is inaccessible to them even for a few minutes, this option would probably be the easiest and most comfortable for the company.
"What's that - no more Facebook for Germans?!", panicking users would cry. The public's wrath would more likely be aimed at the EU Commission than at the company and its poor data privacy protections.