Two years after Edward Snowden revealed massive monitoring by US intelligence services, the European Court of Justice is forcing Europeans to deal with the issue yet again. This time, a mere public outcry won't do.
"This case is not about Facebook", a Facebook spokesperson told DW. "The Advocate General himself said that Facebook has done nothing wrong."
Given that the European Court of Justice (ECJ) ruled in a case started by Austrian Max Schrems, who had complained that the personal data he put on Facebook were not sufficiently protected from US spies, the company's statement might be surprising. But it is, nevertheless, correct.
"What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows," Facebook's spokesperson added.
Thousands of companies affected
Since the year 2000, the transatlantic Safe Harbor agreement between the US and the European Union (EU) has allowed American companies to use a single standard for consumer privacy and data storage. In a landmark decision on Tuesday, the ECJ declared this agreement invalid.
This affects thousands of American companies in Europe who routinely transfer personal data of users, customers and clients to servers in the US, where intelligence services can access the data.
Alternatives to the Safe Harbor agreement exist, said Maurice Shahd of Bitkom, the German association of IT and telecom companies. For example, there are the EU's Binding Corporate Rules, which also detail how data can be transferred across borders in compliance with data protection rules.
"Companies can also just ask their clients and users to agree to their data being transferred to the US," said Shahd.
No big change?
Another alternative, that is storing European data only on European servers which cannot be accessed from the US, would demand "high expenditures" by companies, according to Shahd.
The up to 4,500 US companies in Europe which so far have relied on Safe Harbor are now asking the authorities to define clear rules on what is and what's not OK.
"It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security," a Facebook spokesperson said.
Busy meetings in Europe
In the meantime, data privacy protection agencies all over Europe are getting busy. "My office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively," said Helen Dixon, Ireland's data protection commissioner.
In 2013, Max Schrems had filed his complaint against "Facebook Ireland," the company's European headquarters, with Helen Dixon's office, who found there was "no duty to investigate" and later argued the complaint was "frivolous and vexatious."
Johannes Caspar, data protection commissioner of the German city-state of Hamburg, confirmed that meetings with European colleagues would start this week.
"Within the EU, we have to find a common solution as to how to put the court's decision into practice," he told DW. "Otherwise, different data privacy protection agencies will have different rules, and that would be untenable for the legal certainty of users and companies alike."
'US should change the system'
“We also have to discuss whether data protection agencies can stop the transfer of data, whether we can issue administrative orders, which companies are affected, and what the deadlines are,” Caspar added.
The debate on alternatives to the Safe Harbor agreement was important, he said, but then asked: "What's the point of all that, if the real issue is not the behavior of companies, but the behavior of the government of the United States of America?"
According to Caspar, the US government "would be well advised to change the current system in which US intelligence services can monitor EU citizens."
Edward Snowden is back
That seems unlikely, however. A quick and unified European response could at least "put pressure on the negotiations between the EU and the USA," he said.
What to do about data privacy protection in Europe? This question has begged discussion ever since Edward Snowden revealed the massive surveillance programs by the NSA in 2013. European politicians "refused to have this discussion back then," Caspar told DW.
"The ruling by the European Court of Justice now forces us to have this discussion."
After the ECJ's ruling, it's impossible to "just close our eyes and carry on as if nothing happened," he said. "Something needs to change, and thanks to the court's clear wording, nobody can deny that."