The European Union no longer considers the United States a “safe harbor” for data because the National Security Agency surveillance exposed by whistleblower Edward Snowden “enables interference, by United States public authorities, with the fundamental rights of persons.”
The EU’s highest court, the Court of Justice, declared on Tuesday that an international commercial data-sharing agreement allowing U.S. companies free-flowing access to large amounts of European citizens’ data was no longer valid.
As Snowden revealed in 2013, the NSA has been interpreting section 702 of the Foreign Intelligence Surveillance Act as giving it license to intercept Internet and telephone communications in and out of the U.S. on a massive scale. That is known as “Upstream” collection. The NSA is not required to demonstrate probable cause of a crime before a court or judge before examining the data. Another 702 program, called PRISM, explicitly collects communications of “targeted individuals” from providers such as Facebook, Yahoo and Skype.
When Max Schrems, an Austrian law student, learned about Snowden’s revelations, he argued that Facebook was ignoring stronger European privacy laws when it sent his data from its European headquarters in Ireland back to the United States, where it was being intercepted by the NSA. Schrems wrote that the lawsuit he launched against Facebook was about “transparency” and “user control” because he could not determine what was being done with his data—which goes against the European Union Charter of Fundamental Rights.
On September 23, the Court of Justice’s top legal adviser, Yves Bot, concluded that the safe harbor agreement was invalid because of U.S. surveillance. “It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection,” Bot wrote. “Interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance.”
The United States argued in response that the agreement protects privacy, and is vital to both U.S. and European businesses. A statement from the United States mission to the European Union insited that “The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.”
But it did not provide any indication of how it defines “indiscriminate” – and the European court didn’t buy it.
“National security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” the Court wrote.
Although the safe harbor provision applies to commercial data, the underlying issue is the overbroad access of U.S. intelligence agencies to European citizens data, said Jens-Henrik Jeppesen, director of European Affairs for the Center for Democracy and Technology. “Surveillance is the heart of this matter,” Jeppesen told The Intercept. “The highest court in the European Union is not satisfied with the guarantees such as they are under current U.S. laws.”
“The European decision is one of the best ones we’ve seen come out of Snowden revelations,” says Tiffiny Cheng, co-founder of the online advocacy group, Fight for the Future. “It is an actual conversation on the responsibility of companies and government to protect data they hold.”
The ruling was seen as posing a major obstacle for U.S.-based technology companies like Facebook, Google and Yahoo, whose business models require moving massive amounts of data back and forth between the U.S. and Europe.
What’s not yet clear is what they can do about it.
Sen. Ron Wyden, D-Ore., had a suggestion: reform U.S. surveillance law.
The decision is disastrous for U.S. companies, Wyden said in a statement. “By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses,” he said. “Yet, U.S. politicians who allowed the National Security Agency to secretly enact a digital dragnet of millions of phone and email records also bear responsibility. These ineffective mass surveillance programs did nothing to make our country safer, but they did grave damage to the reputations of the American tech sector.”
Wyden called on Congress to “start taking the next steps on surveillance reform now, and not wait for the expiration of section 702 of the FISA statute in December 2017 to get started.”
Snowden himself celebrated the decision in a stream of live-tweets, writing that “we are all safer as a result.”
And European privacy activists were optimistic about the fallout. “Invalidating Safe Harbour is a unique opportunity for the EU and the US to develop an accountable mechanism for data transfer that would protect individuals’ rights to privacy and data protection and provide companies with legal certainty at the same time,” wrote Estelle Masse, a policy analyst for Access in Brussels.
A narrower ruling, wrote Félix Tréguer, co-founder of the French civil rights group La Quadrature du Net, might have simply resulted in “the relocation of European’s personal data in Europe where local intelligence agencies would have been able to get their hands more easily on that data.”
“Thankfully, the ruling goes further than that,” he wrote. “It sets the stage for future cases (for instance those we’ll soon introduce against the French Intelligence Act, or those against the GCHQ that are currently pending before the European Court of Human Rights). It give[s] us room for legal maneuver; legal opportunities that civil rights groups all across Europe (and beyond probably) will be able to use in resisting the dangerous drift toward mass surveillance.”
Caption: A slide describing PRISM and UPSTREAM, NSA surveillance programs vacuuming up telephone and Internet communications from major companies, revealed by Edward Snowden in 2013.