EU Law

Perhaps Big Tech Regulation Belongs on Congress’s for You Page

Kira Le, MJLST Staffer

On Thursday, March 23, 2023, TikTok CEO Shou Zi Chew testified before a Congressional panel for five hours in order to convince Congress that the social media platform should not be banned in the United States. The hearing came one week after reports surfaced that the Committee on Foreign Investment was threatening a ban unless TikTok’s parent company ByteDance sells its share of the company.[1] Lawmakers on both sides of the aisle, as well as FBI officials, are allegedly concerned with the possibility of the Chinese government manipulating users’ experience on the platform or threatening the security of the data of its more than 150 million users in the United States.[2] Despite Chew’s testimony that TikTok plans to contract with U.S. tech giant Oracle to store U.S. data on U.S. servers on U.S. soil, preventing Chinese interference on the platform and recommending content to U.S. users through Oracle infrastructure, lawmakers were not convinced, and not a single one offered support for TikTok.[3]

In terms of what’s to come for TikTok’s future in the United States, Senator Marco Rubio updated his website on Monday, March 27, 2023 with information on “when TikTok will be banned,” claiming his proposed ANTI-SOCIAL CCP Act is the only bipartisan, bicameral legislation that would actually prevent TikTok from operating in the United States.[4] In order to cut off the platform’s access to critical functions needed to remain online, the proposed statute would require the president to use the International Emergency Economic Powers Act to block and prohibit all transactions with TikTok, ByteDance, and any subsidiary or successor within 30 days.[5] Senator Rubio explains that the proposed legislation “requires the president to block and prohibit transactions with social media companies owned or otherwise controlled by countries or entities of concern.”[6] Reuters reports that The White House supports the Senate bill known as the RESTRICT Act.[7] However, former President Trump made an almost identical attempt to ban the app in 2020.[8]TikTok was successful in quashing the effort, and would almost certainly challenge any future attempts.[9] Further, according to Jameel Jaffer, executive director of the Knight First Amendment Institute at Columbia University, “To justify a TikTok ban, the government would have to demonstrate that privacy and security concerns can’t be addressed in narrower ways. The government hasn’t demonstrated this, and we doubt it could. Restricting access to a speech platform that is used by millions of Americans every day would set a dangerous precedent for regulating our digital public sphere more broadly.”[10]

Despite what Congress may want the public to think, it certainly has other options for protecting Americans and their data from Big Tech companies like TikTok. For example, nothing is stopping U.S. lawmakers from following in the footsteps of the European Parliament, which passed the Digital Markets Act just last year.[11] Although the main purpose of the Act is to limit anticompetitive conduct by large technology companies, it includes several provisions on protecting the personal data of users of defined “gatekeeper” firms. Under the Act, a gatekeeper is a company that provides services such as online search engines; online social networking services; video-sharing platform services; number-independent interpersonal communications services; operating systems; web browsers; and online advertising services that are gateways for business to reach end users.[12] The Digital Markets Act forbids these gatekeepers from processing the personal data of end users for the purpose of providing online advertisement services, combining or cross-using their personal data, or signing users into other services in order to combine their personal data without their explicit consent.[13]

The penalties associated with violations of the Act give it some serious teeth. For noncompliance, the European Commission may impose a fine of up to 10% of the offending gatekeeper’s total worldwide turnover in the preceding year in the first instance, and up to 20% if the gatekeeper has committed the same or a similar infringement laid out in specific articles at some point in the eight preceding years.[14] For any company, not limited to gatekeepers, the Commission may impose a fine of up to 1% of total worldwide turnover in the preceding year for failing to provide the Commission with information as required by various articles in the Act. Finally, in order to compel any company to comply with specific decisions of the Commission and other articles in the regulation, the Commission may impose period penalty payments of up to 5% of the average daily worldwide turnover in the preceding year, per day.[15]

If U.S. lawmakers who have backed bipartisan legislation giving President Biden a path to ban TikTok are truly concerned about preventing the spread of misinformation on the platform, who truly believe, as Representative Gus Bilirakis claims to, that it is “literally leading to death” and that “[w]e must save our children from big tech companies” who allow harmful content to be viewed and spread without regulation, then perhaps Congress should simply: regulate it.[16] After the grueling congressional hearing, the Chinese foreign ministry stated in a regular news briefing that it has never asked companies “to collect or provide data from abroad to the Chinese government in a way that violated local laws…”[17]During his testimony, Chew also argued that TikTok is no different than other social media giants, and has even sought to put stronger safeguards in place as compared to its competitors.[18] Granted, some lawmakers have expressed support for comprehensive data privacy legislation that would apply to all tech companies.[19] Perhaps it would be more fruitful for U.S. lawmakers to focus on doing so.

Notes

[1] Ben Kochman, Skeptical Congress Grills TikTok CEO Over Security Concerns, LAW360 (Mar. 23, 2023), https://plus.lexis.com/newsstand#/law360/article/1588929?crid=56f64def-fbff-4ba3-9db0-cbb3898308ce.

[2] Id.

[3] Id.; David Shepardson & Rami Ayyub, TikTok Congressional Hearing: CEO Shou Zi Chew Grilled by US Lawmakers, REUTERS (Mar. 24, 2023), https://www.reuters.com/technology/tiktok-ceo-face-tough-questions-support-us-ban-grows-2023-03-23/.

[4] FAQ: When Will TikTok Be Banned?, MARCO RUBIO US SENATOR FOR FLORIDA (Mar. 27, 2023), https://www.rubio.senate.gov/public/index.cfm/press-releases?ContentRecord_id=C5313B3F-8173-4DC8-B1D9-9566F3E2595C.

[5] Id.

[6] Id.

[7] Factbox: Why a Broad US TikTok Ban is Unlikely to Take Effect Soon, REUTERS (Mar. 23, 2023), https://www.reuters.com/technology/why-broad-us-tiktok-ban-is-unlikely-take-effect-soon-2023-03-23/.

[8] Id.

[9] Id.

[10] Id.

[11] Council Regulation (EU) 2022/1925 on Contestable and Fair Markets in the Digital Sector, 2022 O.J. L 265/1 [hereinafter Digital Markets Act].

[12] Id., Art. 3, 2022 O.J. L 265/28, 30.

[13] Id. art. 5, at 33.

[14] Id. art. 30, at 51, 52.

[15] Id. art. 17, at 44.

[16] Ben Kochman, Skeptical Congress Grills TikTok CEO Over Security Concerns, LAW360 (Mar. 23, 2023), https://plus.lexis.com/newsstand#/law360/article/1588929?crid=56f64def-fbff-4ba3-9db0-cbb3898308ce.

[17] David Shepardson & Rami Ayyub, TikTok Congressional Hearing: CEO Shou Zi Chew Grilled by US Lawmakers, REUTERS (Mar. 24, 2023), https://www.reuters.com/technology/tiktok-ceo-face-tough-questions-support-us-ban-grows-2023-03-23/.

[18] Daniel Flatley, Five Key Moments From TikTok CEO’s Combative Hearing in Congress, BLOOMBERG (Mar. 23, 2023), https://www.bloomberg.com/news/articles/2023-03-23/five-key-moments-from-tiktok-ceo-s-combative-hearing-in-congress#xj4y7vzkg.

[19] Ben Kochman, Skeptical Congress Grills TikTok CEO Over Security Concerns, LAW360 (Mar. 23, 2023), https://plus.lexis.com/newsstand#/law360/article/1588929?crid=56f64def-fbff-4ba3-9db0-cbb3898308ce.


Call of Regulation: How Microsoft and Regulators Are Battling for the Future of the Gaming Industry

Caroline Moriarty, MJLST Staffer

In January of 2022 Microsoft announced its proposed acquisition of Activision Blizzard, a video game company, promising to “bring the joy and community of gaming to everyone, across every device.” However, regulators in the United States, the EU, and the United Kingdom have recently indicated that they may block this acquisition due to its antitrust implications. In this post I’ll discuss the proposed acquisition, its antitrust concerns, recent actions from regulators, and prospects for the deal’s success.

Background

Microsoft, along with making the Windows platform, Microsoft Office suite, Surface computers, cloud computing software, and of new relevance, Bing, is a major player in the video game space. Microsoft owns Xbox, which along with Nintendo and Sony (PlayStation) is one of the three most popular gaming consoles. One of the main ways these consoles distinguish themselves from their competitors is by categorizing certain games as “exclusives,” where certain games can only be played on a single console. For example, Spiderman can only be played on PlayStation, the Mario games are exclusive to Nintendo, and Halo can only be played on Xbox. Other games, like Grand Theft Auto, Fortnite, and FIFA are offered on multiple platforms, allowing consumers to play the game on whatever console they already own.

Activision Blizzard is a video game holding company, which means the company owns games developed by game development studios. They then make decisions about marketing, creative direction, and console availability for individual games. Some of their most popular games include World of Warcraft, Candy Crush, Overwatch, and one of the most successful game franchises ever, Call of Duty. Readers outside of the gaming space may recognize Activision Blizzard’s name from recent news stories about its toxic workplace culture.

In January 2022, Microsoft announced its intention to purchase Activision Blizzard for $68.7 billion dollars, which would be the largest acquisition in the company’s history. The company stated that its goals were to expand into mobile gaming, as well as make more titles available, especially through Xbox Game Pass, a streaming service for games. After the announcement, critics pointed out two main issues. First, if Microsoft owned Activision Blizzard, it would be able to make the company’s titles exclusive to Xbox. This is especially problematic in relation to the Call of Duty franchise. Not only does the Call of Duty franchise include the top three most popular games of 2022, but it’s estimated that 400 million people play at least one of the games, 42% of whom play on Playstation. Second, if Microsoft owned Activision Blizzard, it could also make its titles exclusive to Xbox Game Pass, which would change the structure of the relatively new cloud streaming market.

The Regulators

Microsoft’s proposed acquisition has drawn scrutiny from the FTC, the European Commission, and the UK Competition and Markets Authority. In what the New York Times has dubbed “a global alignment on antitrust,” the three regulators have pursued a connected strategy. First, the European Commission announced an investigation of the deal in November, signaling that the deal would take time to close. Then, a month later, the FTC sued in its own administrative court, which is more favorable to antitrust claims. In February 2023, the Competition and Markets Authority released provisional findings on the effect of the acquisition on UK markets, writing that the merger may be expected to result in a substantial lessening of competition. Finally, the EU commission also completed its investigation, concluding that the possibility of Microsoft making Activision Blizzard titles exclusives “could reduce competition in the markets for the distribution of console and PC video games, leading to higher prices, lower quality and less innovation for console game distributors, which may, in turn, be passed on to consumers.” Together, the agencies are indicating a new era in antitrust – one that is much tougher on deals than in the recent past.

Specifically, the FTC called out Microsoft on its past acquisitions in its complaint. When Microsoft acquired Bethesda (another video game company, known for games like The Elder Scrolls: Skyrim) in 2021, the company told the European Commission that they would keep titles available on other consoles. After the deal cleared, Microsoft announced that many Bethesda titles, including highly anticipated games like Starfield and Redfall, would be Microsoft exclusives. The FTC used this in its complaint to show that any promises by Microsoft to keep games like Call of Duty available to all consumers could be broken at any time. Microsoft has disputed this characterization, arguing that the company made decisions to make titles exclusive on a “case-by-case basis,” which was in line with what it told the European Commission.

For the current deal, Microsoft has agreed to make Call of Duty available on the Nintendo Switch, and it claims to have made an offer to Sony, guaranteeing the franchise would remain available on PlayStation for ten years. This type of guarantee is known as conduct remedy, which preserves competition through requirements that the merged firm commits to take certain business actions or refrain from certain business conduct going forward. In contrast, structural remedies usually require a company to divest certain assets by selling parts of the business. One example of conduct remedies was in the Live Nation – Ticketmaster merger. The companies agreed not to retaliate against concert venue customers that switched to a different service nor tie sales of ticketing services to concerts it promoted. However, as the recent Taylor Swift ticketing dilemma proves, conduct remedies may not be effective in eliminating anticompetitive behavior.

Conclusion

Microsoft faces an uphill battle with its proposed acquisition. Despite its claims that Xbox does not exercise outsize influence in the gaming industry, the sheer size and potential effects of this acquisition make Microsoft’s claims much weaker. Further, the company faces stricter scrutiny from new regulators in the United States. Assistant Attorney General Jonathan Kanter, who leads the DOJ’s antitrust division, has already indicated that he prefers structural remedies to conduct ones, and Lina Khan, FTC commissioner, is well known for her opposition to big tech companies. If Microsoft wants this deal to succeed, it may have to provide more convincing evidence that it will act differently than its anticompetitive conduct in the past.


The Apathetic Divide: Surrogacy and the Anglo-American Courtroom

Kelso Horne, MJLST Staffer

The State of New York defines Gestational Surrogacy as “a process where one person, who did not provide the egg used in conception, carries a fetus through pregnancy and gives birth to a baby for another person or couple.” The process of surrogacy can be fraught with legal, technical, and moral issues, particularly when the surrogacy is paid for via contract with the surrogate, also called Compensated Gestational Surrogacy (CGS). Until 2020, this kind of contractual paid surrogacy was illegal in the state of New York. That year, it was legalized, and the regulatory regime normalized by the Child-Parent Security Act.  In contrast, the state of Louisiana has one of the harshest gestational surrogacy regimes in the world, outright banning CGS, and requiring both sets of gametes to come from a couple married residing in the state of Louisiana. But these competing regulatory regimes are not replicated across the nation. To the contrary, most states have not passed any laws legalizing or banning CGS or other fertility practices, like the sale of gametes. With sparse case law and frequent legal limbo, the question of “is CGS legal for me?” can be a difficult question for many Americans.

Across the Atlantic, the question used to be an easy one to answer. In 1985 the UK Parliament Enacted the Surrogacy Arrangements Act, which made it an offense to “initiate or take part in any negotiations with the view of making a surrogacy arrangement”, along with some related activities, like compiling information to assist in the creation of surrogacy arrangements. Critically, however, the Act did not criminalize the act of looking to hire a surrogate, or looking to become one, only being a middleman, or publishing advertisements on behalf of those looking to obtain the services of a surrogate. The Human Fertilisation and Embryology Act 1990 defined the mother of a child under UK law as “[t]he woman who is carrying or has carried a child… and no other woman”. In 2001, the Lords Appeal in Ordinary, which acted as the UK’s highest court until 2009, heard the appeal in Briody v. St Helens and Knowsley Area Health Authority. The question before the Lords was one of damages. A woman, rendered infertile as a result of medical negligence, sought £78,267 in order to obtain the services of a surrogate in California, which had legalized CGS in 1993 in the landmark case Johnson v. Calvert. The Lady Justice Hale, speaking for the court, foreclosed the use of CGS in California or elsewhere, as the proposal was “contrary to the public policy of the country”. While she did not entirely dismiss the idea of providing damages to pay for surrogacy procedures, she said it would be permitted only in the case of a voluntary, unpaid surrogate.

Few appellate court judges get to issue an opinion on the same facts twice in their career. In 2020, in one of her final cases prior to retiring, the Lady Justice Hale, now sitting on the UK Supreme Court, which by then had replaced the Lords Appeal in Ordinary, did just that.  In Whittington Hospital NHS Trust (Appellant) v XX, the court determined that a woman who had been rendered infertile as a result of medical negligence could claim damages, including the costs to pay a United States based surrogate to carry her children. CGS, while still entirely illegal in the UK, could now nevertheless provide the basis for damages in a UK court. The Court did note some factual differences between Whittington Hospital and Briody, notably, that the likelihood that a surrogacy arrangement would result in a child was higher in the former. However, the court’s main argument for its opposite ruling was a change in cultural attitude to surrogacy and its role in society, stating “[t]he use of assisted reproduction techniques is now widespread and socially acceptable.”

While admitting that surrogacy was now widely accepted in UK society, the dissent, authored by The Lord Justice Carnwath, nevertheless disagreed with the Court. It argued that the criminal law of the UK remained clearly averse to commercial surrogacy, and that by awarding damages for CGS in California the court misaligned the UK’s civil and criminal law. Thus, the CGS regimes of the UK and the U.S. are now bound together. UK citizens may seek surrogacy arrangements and have them compensated by the UK government through the UK’s National Health Service, but they must use an American “womb”. A financial arrangement which the UK itself deems too unethical to allow inside its own borders is nevertheless legalized and compensated when occurring in other countries. The deeply strange situation is mirrored in the opaque CGS law in the United States itself.

A quick glance at any 50-state review of laws, compiled either by supporters or opponents to commercial surrogacy, paint a similar picture. They show strange ad hoc mixes of case law which often cover ancillary issues or are at least 30 years old. Some scholars have started to publicly discuss the possible ethical pitfalls of “procreative tourism”, but without clear legal rules governing what arrangements are and are not allowed, it becomes difficult to discuss possible solutions. The dangers of this shadow regime were thrown into stark relief by the war in Ukraine, which prior to the Russian invasion was a major source of surrogate mothers. Mothers were paid on average $15,000 per child, which is considerable in a country where, prior to the invasion, the GDP per capita was less than $5,000. The United States needs to determine if it wishes to become a “destination” country for procreative tourism, as the result in Whittington would seem to suggest it is, and whether it wishes to allow its own citizens the opportunity to travel abroad to engage in CGS.

This blog has touched on only a small fraction of the issues which are faced when determining the ideal regulatory regime for surrogacy. However, a lack of discussion, and a failure to acknowledge possible risks leaves us ignorant of what the problems may be, let alone the route to potential solutions. States have largely failed to address the issue since the first CGS baby was born in their borders, usually in the late 1980’s and early 1990’s. It’s time for a serious examination of CGS regulation as it exists, as well as a meaningful discussion about safeguarding the health and wellbeing of those involved in such a transaction. The UK has now done the same, passing the buck without a serious response to the issues surrounding CGS. Regardless of one’s opinion on the results of the Louisiana and New York regulations, potential participants in a surrogacy arraignment in those two states know the boundaries. That should be the case nationwide.


Practical Results of Enforcing the GDPR

Sooji Lee, MJLST Staffer

After the enforcement of the European Union’s(“EU”) General Data Protection Regulation (“GDPR”), Facebook was sued by one of its shareholders, Fern Helms, because its share price fell more than “20 percent” in July 27, 2018. This fall in stock price occurred because the investors were afraid of the GDPR’s potential negative impact on the company. This case surprised many people around the world and showed us how GDPR is sensational regulation that could result in lawsuits involving tremendous amounts of money. This post will articulate what has occurred after enforcement of this gigantic world-wide impacting regulation.

Under GDPR, regulated entities (data controllers and data processors) must obtain prior “consent” from their users when they request customers’ personal data. Each member country must establish Data Protection Authority (“DPA”) to comply with the GDPR. This regulation has a broad applicable range, from EU corporations to non-EU corporations that deal with EU citizens’ personal data. Therefore, after the announcement of this regulation, many United States based global technology corporations which conduct some of their business in European countries, such as Google and Facebook, commenced processes to comply with the GDPR. For example, Facebook launched its own website which explains its effort to comply with GDPR.

Surprisingly, however, despite the large-scale preparation, Google and Facebook were sued for breach of the GDPR. According to a report authored by IAPP, thousands of claims were filed within one month the GDPR’s enforcement date, May 25, 2018. This fact implies that it is difficult to abide by GDPR for current internet-based service companies. Additionally, some companies that are not big enough to prepare to comply with the GDPR, such as the Chicago Tribune and the LA Times, temporarily blocked EU users from its website and some decided to terminate its service in the EU.

One interesting fact is that no one has been fined under GDPR yet. A spokesperson for the United Kingdom’s Information Commissioner’s Office commented “we are dealing with the first GDPR cases but it’s too early to speculate about fines or processing bans at this stage.” Experts expect that calculating fines and processing bans could take another six months. These experts foresee that once a decision is rendered, it could set a standard for future cases which may be difficult to change.

The GDPR, a new world-wide impacting regulation, just started its journey toward proper consumer data protection. It seems many of the issues involved with the GDPR are yet to be settled. For now, no expert can make an accurate prediction. Some side-effects seem inevitable. So, it is time to assess the results of the regulation, and keep trying to make careful amendments, such as expanding or restricting the scope of its applicable entities, to adjust for arising problems.


Permissionless Innovation or Precautionary Principle: the Policy Menu of the Future

Ethan Konschuh, MJLST Staffer

In their recent paper, Guns, Limbs, and Toys: What Future for 3D Printing?, published in the Minnesota Journal of Law, Science, and Technology Volume 17, Issue 2, Adam Thierer and Adam Marcus discussed the potential regulatory frameworks for technological innovations that could spur what they call “the next great industrial revolution.”  They believe that 3D printing, one such innovation, could offer such great benefits that it could significantly enhance global welfare.  However, they worry that preemptive regulations on the technology could undermine these benefits before giving them a chance to be realized.  The paper advocates for a method of regulation called “permissionless innovation,” as opposed to regulations following the “precautionary principle.”  While there are many pros to the former, it could leave unchecked the risks curtailed by the latter.

“Permissionless innovation refers to the notion that experimentation with new technologies and business models should generally be permitted by default.”  It follows from the idea that unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated, and problems, should they arise, can be addressed later.  The authors point to numerous benefits of this approach with respect to emerging technologies.  One of the most obvious benefits is that this type of regulatory framework does not prematurely inhibit potential benefits.  “Regulatory systems based on precautionary thinking focus on preemptive remedies that aim to predict the future and its hypothetical problems. But if public policy is rooted in fear of hypothetical worst-case scenarios, it means that best-case scenarios will never come about.”  It would also preserve the modern startup culture where “just about anyone can afford to launch a business.”  Implementing a framework based on the precautionary principle will create barriers to entry and raise the cost of innovation.  This would also reduce the ability to maximize competitive advantage through trial and error, which refines the technology and efficient allocation of resources for development.  As an example of the potential detriments to competitive advantage from preemptive regulation, the authors point to the different policies of the Europe and the U.S. in the mid-nineties internet explosion where the former preemptively regulated and the latter allowed for permissionless innovation, resulting in the U.S. being a global leader in information technologies and Europe lagging far behind.

An alternative regulatory approach discussed in the article is based on the precautionary principle, which generally refers to the belief that new innovations should be curtailed or disallowed until it can be proven that they will not cause harm.  This approach, while posing problems of its own discussed above, would solve some of the problems arising under permissionless innovation.  While there are many economic and social benefits to permissionless innovation as the bedrock on which policy rests, it inherently allows for the “error” half of “trial and error.”  The whole concept is rooted in the idea of ex post regulation, creating policy to correct for problems that have already occurred.  While traditionally, as shown through the internet regulation difference and outcome between Europe and the U.S., the risk of error has not outweighed the benefits that result, new technologies pose new risks.

For example, in the realm of 3D printing, one of the hot topics is 3D printed firearms.  Current laws would not make 3D printed guns illegal, as most regulations focus on the sale and distribution of firearms, not creation for personal use.  The reasons why it might be more prudent to adopt a precautionary principle approach to regulating this technology are obvious.  To adopt an ex post approach to something that could have such dire consequences could be disastrous, especially considering the amount of time required to adopt policy and implement regulations.  Permissionless innovation could thus become a sort of self-fulfilling prophecy in that major tragedies resulting from 3D printing could result in exactly what advocates of permissionless innovation seek to prevent in the first place: strict regulation that undermines the development of the technology.

The debate will likely heat up as technology continues to develop.  In the era of self-driving cars, private drones, big data, and other technologies that continue to change the way that humans interact with the world around them, 3D printing is not the only area in which this discussion will arise.  The policy decisions that will be made in the next few years will have far reaching consequences that are difficult to predict.  Do the economic and social benefits of being able to manufacture goods at home outweigh the risks of legal, discrete self-armament and its consequences?  The proverbial pill may be too large for some to swallow.


E.C.J Leaves U.S. Organizations to Search for Alternative Data Transfer Channels

J. Adam Sorenson, MJLST Staffer

The Court of Justice of the European Union (E.C.J.), the European’s top court, immediately invalidated a 15-year-old U.S. EU Safe Harbor Program Oct. 6th (Schrems v. Data Prot. Comm’r, E.C.J., No. C-362/14, 10/6/15). This left the thousands of businesses which use this program without a reliable and lawful way to transfer personal data from the European Economic Area to the United States.

The Safe Harbor Program was developed by the U.S. Department of Commerce in consultation with the European Commission. It was designed to provide a streamlined and cost-effective means for U.S. organizations to comply with the European Commission’s Directive on Data Protection (Data Protection Directive) which went into effect October of 1998. The program allowed U.S. organizations to voluntarily join and freely transfer personal data out of all 28 member states if they self-certify and comply with the programs 7 Safe Harbor Privacy Principles. The program was enforced by the U.S. Federal Trade Commission. Schrems v. Data Prot. Comm’r, however, brought a swift halt to the program.

This case revolves around Mr. Schrems, an Australian Facbook user since 2008 living in Austria. Some or all of the data collected by the social networking site Facebook is transferred to servers in the United States where it undergoes processing. Mr. Schrems brought suit against the Data Protection Commissioner after he did not exercise his statutory authority to prohibit this transfer. The case applied to a 2000 decision by the European Commission which found the program provided adequate privacy protection and was in line with the Data Protection Directive. The directive prohibits “transfers of personal data to a third country not ensuring an adequate level of protection.”(Schrems) The directive goes on to say that adequate levels may be inferred if a third country ensures an adequate level of protection.

The E.C.J. found that the current Safe Harbor Program did not ensure an adequate level of protection, and therefore found the 2000 decision and the program itself as invalid. This means all U.S. organizations currently transferring personal data out of the EEA are doing so in violation of the Data Protection Directive. This case requires U.S. organizations to find alternative methods of approved data transfer, which generally means seeking the approval of data protection authorities in the EU, which can be a long process.

Although the EU national data protection authorities may allow for some time before cracking down on these U.S. organization, this decision signals a massive shift in the way personal data is transferred between the U.S. and Europe, and will most likely have ripple effects throughout the data privacy and data transfer worlds.