Beyond the countless data breaches that companies and consumers endured in 2015, perhaps the most obvious tension in the online privacy realm could be felt in the many altercations between the U.S. and Europe.
The seed of this combative surge can perhaps be traced back to 2013, when former NSA contractor-turned-whistleblower Edward Snowden began revealing the extent of government snooping programs. Underscoring the clash of attitudes about personal data between the two regions, members of the European Parliament this fall voted in favor of granting Snowden Asylum in the E.U. as a “human rights defender.” Whether E.U. member states take action on the consensus vote is another matter entirely. But it flew in stark contrast to the White House, which rejected a We the People petition to pardon Snowden just a few months previously.
Against this backdrop, we look at some of the key battles that raged between the two regions over the past twelve months.
Max Schrems has proven to be a major thorn in the side of Facebook, among other U.S. tech companies.
Back in August 2014, the Austrian law student and privacy campaigner launched a privacy class-action lawsuit addressing the social network’s handling of user data in Europe. The group came to be known as Europe vs. Facebook. 25,000 claimants joined the class-action lawsuit, with each standing to gain around 500 euros ($540) if it succeeds. Facebook has sought to block the lawsuit, and Austria’s highest court has yet to decide whether to allow it.
But Schrems’ biggest achievement was convincing a European court that the U.S. “Safe Harbor” data-sharing pact is invalid. This was a monumental, far-reaching verdict, one that is fundamentally changing the way U.S. tech companies manage its users’ data around the world.
The Safe Harbor principles were devised by the U.S. to help companies comply with the European Commission’s Directive on Data Protection, which came into effect in 1998. The directive prohibits the transfer of personal data outside the European Union to countries that don’t adhere to the E.U.’s standard for privacy protection. Given that many tech companies, including Facebook, Google, Apple, and Twitter, store their data on U.S.-based servers, the U.S. Department of Commerce drew up the Safe Harbor agreement in consultation with Europe.
Schrems argued that the U.S. couldn’t guarantee the safe storage of customer data, particularly in light of the Snowden NSA revelations. The Court of Justice of the European Union in Luxembourg ruled that national authorities could investigate complaints that alleges the U.S. doesn’t ensure an adequate level of protection. And it ultimately ruled that the U.S. / E.U. agreement was invalid.
While the ruling doesn’t necessarily mean that the Safe Harbor principles are dead, it does mean that local authorities in each E.U. country must consider cases brought before it. But the court also found that the Safe Harbor scheme weighed in favor of the U.S. and is prone to interference from authorities.
Such was the extent of Schrems’ work, a certain Mr. Snowden extended his congratulations.
— Edward Snowden (@Snowden) October 6, 2015
In the immediate aftermath of the Safe Harbor ruling, minor chaos and confusion ensued. What exactly did the ruling mean — would Facebook and others have to cease operations in Europe? Well, no, as it happens. The European Commission referred to “other arrangements” that could be used temporarily to continue the flow of data until the situation is resolved.
In Ireland, where Facebook’s European headquarters is based, the privacy watchdog is finally investigating the complaint filed by Schrems. And big tech companies have taken note. Microsoft announced a partnership with Germany’s Deutsche Telekom to help ring-fence European data, while it also opened its first U.K. data centers. Elsewhere, Amazon revealed it would open its first U.K. data centers, while Box unveiled similar plans.
It remains to be seen what a second version of the Safe Harbor agreement between the U.S. and E.U. will look like, but it’s clear that U.S. tech companies increasingly view Europe as a seperate, distinct legal entity. And its future practices could well reflect that, meaning all data emanating from European users will remain in Europe.
Right to be forgotten… globally
Europe’s designed its so-called “right-to-be-forgotten” ruling to help individuals de-index web pages that contain old, out-of-date, or irrelevant content appearing on search engines. The intention is to help the drunken student who pulled that excruciatingly embarrassing prank at university and landed a night in jail regain some online dignity when trying to impress prospective employers years later.
While Google and its peers have considered millions of requests in the two years since, the ruling only applied to European versions of the search engine (such as the .co. uk, .de, and .fr top-level domains), not Google.com, Google.ca, and so on. However, France requested that Google, as the biggest and most popular search engine, expand the right-to-be-forgotten to all of its search engines. Naturally, Google rejected this. “This is a troubling development that risks serious chilling effects on the web,” Peter Fleischer, global privacy counsel at Google, said at the time.
The regulator then rejected Google’s appeal, and said that if Google did not comply with the order, it would recommend sanctions or fines against the company. Such sanctions have yet to materialize.
Again, this demonstrates the increasing incongruity of U.S. and European legislation and practices. It seems a little far-fetched to expect Google to cloak each of its non-E.U. search engines. But if Google wishes to operate locally in specific E.U. countries, it will likely have little choice but to bow to the authorities. Either that, or it will have to close its local operations.
Android’s great unbundling?
Russia dealt a blow to Google in October, when anti-trust regulators sided with local competitor Yandex over claims surrounding Google’s insistence that Android devices come with certain Google apps pre-installed. Effectively, the Federal Antimonopoly Service requested that Google change its contracts with mobile phone companies by November 18, so as to stop abusing its market-position in Russia.
November 18 came and went, and Google announced no changes. A day later, rather predictably, the company revealed it would challenge the decision.
Russia is the tip of the iceberg for Android’s potential woes in Europe. In May, the European Commission, following a four-year investigation, accused Google of using its dominance to bias search results to favor its own products and services. But it also revealed it would open a second probe into Android — and it’s all about anti-competition. The commission said it will assess:
If, by entering into anticompetitive agreements and/or by abusing a possible dominant position, Google has illegally hindered the development and market access of rival mobile operating systems, mobile communication applications and services in the European Economic Area.
Ultimately, Europe wants to find out whether Google has held back competing services on Android by forcing phone manufacturers to bundle Google apps and services.
Both of these investigations will likely linger on for some time yet. But judging by other decisions that seem to be going against U.S. companies, the antitrust actions in Europe could eventually lead to Android’s great unbundling.
The trans-atlantic tech tussles weren’t restricted to the data-privacy realm. While Uber’s woes extend bar beyond Europe, France proved to be a particularly contentious country for the e-taxi company in 2015.
The country’s taxi-driving fraternity took to the roads in protest in June, leading to scuffles and clashes with riot police. The taxi drivers were protesting UberPop, Uber’s ride-sharing service that connects travelers with private car-owners, which effectively lets anyone become a taxi driver, with no regulation or licensing.
Uber had earlier launched UberPop in Marseille, Nantes, and Strasbourg, spurring protests in those cities. Things got ugly, though not violent, when a handful of Marseille taxi drivers booked an UberPop car and hijacked it, letting the air out of its tires and holding the driver under temporary “arrest.”
While Uber’s services have been challenged in many countries in Europe and around the world, France seems to be taking the lead in combatting the company’s efforts.
We reported that Pierre Dimitri, Uber’s general manager for Western Europe, and Thibaud Simphal, Uber’s general manager for France, had attended a meeting with police voluntarily to discuss the company’s practices. It was then revealed that they would stand trial in September, charged with complicity in operating an illegal transportation service, deceptive commercial practices, and illegally running taxi services. Uber’s defence successfully argued for more time to study evidence and postponed the trial until mid-February. If the two executives are found guilty, they could face up to two years in prison.
Various courts across the E.U. have issued bans on Uber services, leading to the California-headquartered company to file complaints with the European Commission. The E.C. later announced it is undertaking a study into further regulation that may be needed to help ameliorate the growing tensions between licensed taxi drivers and ride-sharing companies such as Uber.
It’s not yet clear how Uber’s fortunes will pan out in Europe. London, for example, seems to be on-side with the company, as Uber survived a legal challenge that sought to equate its mobile app with a taximeter — something that only black-cab drivers can use.
Legal outcomes aside, it’s clear there is a big disconnect between legislation, local taxi drivers, and consumers. Taxi drivers feel aggrieved that there is seemingly one rule for them and another for ride-sharing companies such as Uber. Legislation, for the most part, hasn’t really caught up with the rise of the peer-to-peer “sharing economy.” And consumers really just want the most convenient and cheapest way of getting from A-to-B. Something, somewhere will have to give — what that is, remains to be seen.
Back in June, Facebook launched a new mobile app called Moments, letting friends share photos with each other automatically using facial-recognition technology. But the app isn’t available in Europe because of privacy concerns surrounding facial-recognition technology.
This issue is a long-standing one within Europe, dating back to 2011 when Facebook turned on facial-recognition software that automatically suggested names of friends within photos. Facebook agreed to turn it off in Europe, and it has remained off ever since.
Elsewhere, Wikipedia’s parent organization, the Wikimedia Foundation, won a lawsuit brought against it by a Germany-based film director who sought to hide her age on Wikipedia. Sixty-year-old Dr. Evelyn Schels argued that her “general right of personality and her data protection rights were infringed because she did not consent to the publication of her date of birth in the Wikipedia article about her,” according to a statement from Wikimedia, which countered that because Dr. Schels is famous, and her birthdate was already available to the public, the information should remain. The court agreed, and common sense prevailed.
This echoed a similar case in the U.S. some years earlier, when Amazon’s Internet Movie Database was targeted by an actress who tried to hide her real age on the site. She argued that this was causing her to lose work, but she lost in court, having been forced to shed her anonymity to pursue the case. So, it seems, Europe and the U.S. can agree on some things.
We saw a great deal of friction between the constituent European Union states and the U.S. in 2015, and there’s no reason to expect things will simmer down in 2016. Though there is a broad E.U. legal framework, within that there are 28 distinct legal and cultural entities across the member states, and this can make business tricky for companies entering the region.
Many of the aforementioned cases are yet to be resolved, and we will likely see more privacy-based incongruity added to the mix in the coming months. But one thing is clear. The U.S. and — more specifically — tech companies based within the U.S. will likely have to adopt different strategies and approaches when tackling Europe.