The European Union no longer considers the United States a “safe harbor” for data because the National Security Agency surveillance exposed by whistleblower Edward Snowden “enables interference, by United States public authorities, with the fundamental rights of persons.”
The EU’s highest court, the Court of Justice, declared on Tuesday that an international commercial data-sharing agreement allowing U.S. companies free-flowing access to large amounts of European citizens’ data was no longer valid.
As Snowden revealed in 2013, the NSA has been interpreting section 702 of the Foreign Intelligence Surveillance Act as giving it license to intercept Internet and telephone communications in and out of the U.S. on a massive scale. That is known as “Upstream” collection. The NSA is not required to demonstrate probable cause of a crime before a court or judge before examining the data. Another 702 program, called PRISM, explicitly collects communications of “targeted individuals” from providers such as Facebook, Yahoo and Skype.
When Max Schrems, an Austrian law student, learned about Snowden’s revelations, he argued that Facebook was ignoring stronger European privacy laws when it sent his data from its European headquarters in Ireland back to the United States, where it was being intercepted by the NSA. Schrems wrote that the lawsuit he launched against Facebook was about “transparency” and “user control” because he could not determine what was being done with his data—which goes against the European Union Charter of Fundamental Rights.
On September 23, the Court of Justice’s top legal adviser, Yves Bot, concluded that the safe harbor agreement was invalid because of U.S. surveillance. “It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection,” Bot wrote. “Interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance.”
The United States argued in response that the agreement protects privacy, and is vital to both U.S. and European businesses. A statement from the United States mission to the European Union insited that “The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.”
But it did not provide any indication of how it defines “indiscriminate” – and the European court didn’t buy it.
“National security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” the Court wrote.
Although the safe harbor provision applies to commercial data, the underlying issue is the overbroad access of U.S. intelligence agencies to European citizens data, said Jens-Henrik Jeppesen, director of European Affairs for the Center for Democracy and Technology. “Surveillance is the heart of this matter,” Jeppesen told The Intercept. “The highest court in the European Union is not satisfied with the guarantees such as they are under current U.S. laws.”
“The European decision is one of the best ones we’ve seen come out of Snowden revelations,” says Tiffiny Cheng, co-founder of the online advocacy group, Fight for the Future. “It is an actual conversation on the responsibility of companies and government to protect data they hold.”
The ruling was seen as posing a major obstacle for U.S.-based technology companies like Facebook, Google and Yahoo, whose business models require moving massive amounts of data back and forth between the U.S. and Europe.
What’s not yet clear is what they can do about it.
Sen. Ron Wyden, D-Ore., had a suggestion: reform U.S. surveillance law.
The decision is disastrous for U.S. companies, Wyden said in a statement. “By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses,” he said. “Yet, U.S. politicians who allowed the National Security Agency to secretly enact a digital dragnet of millions of phone and email records also bear responsibility. These ineffective mass surveillance programs did nothing to make our country safer, but they did grave damage to the reputations of the American tech sector.”
Wyden called on Congress to “start taking the next steps on surveillance reform now, and not wait for the expiration of section 702 of the FISA statute in December 2017 to get started.”
Snowden himself celebrated the decision in a stream of live-tweets, writing that “we are all safer as a result.”
And European privacy activists were optimistic about the fallout. “Invalidating Safe Harbour is a unique opportunity for the EU and the US to develop an accountable mechanism for data transfer that would protect individuals’ rights to privacy and data protection and provide companies with legal certainty at the same time,” wrote Estelle Masse, a policy analyst for Access in Brussels.
A narrower ruling, wrote Félix Tréguer, co-founder of the French civil rights group La Quadrature du Net, might have simply resulted in “the relocation of European’s personal data in Europe where local intelligence agencies would have been able to get their hands more easily on that data.”
“Thankfully, the ruling goes further than that,” he wrote. “It sets the stage for future cases (for instance those we’ll soon introduce against the French Intelligence Act, or those against the GCHQ that are currently pending before the European Court of Human Rights). It give[s] us room for legal maneuver; legal opportunities that civil rights groups all across Europe (and beyond probably) will be able to use in resisting the dangerous drift toward mass surveillance.”
Caption: A slide describing PRISM and UPSTREAM, NSA surveillance programs vacuuming up telephone and Internet communications from major companies, revealed by Edward Snowden in 2013.
The real truth is the NSA isn’t responsible for making data unsafe.
Snowden was the “headfake”, that was meant to launch the scandal, which has become the catalyst to attempt to force the US’s hand in to releasing control of the internet and servers to ICANN. That is a fact.
Investigate your sources, be sure and look into the Sony hack, government hacks and the Chattanooga shootings, and how those incidences are connected to ICANN’s proposed takeover of the internet. If you’re thorough in your research, you’ll find the connection.
Here’s the deal, the US created the internet, invested and continues to improve and maintain, what everyone enjoys. The EU wants control, as does Russia and China. Instead of focusing on what other countries are ruling and trying to influence the US to do, btw, their rulings have zero standing in our courts, the FOCUS needs to be on the real reason these countries are urging the US to ignore their own national interests. Whoever controls the internet, has the most power. That is the bottom line. The US is viewed as having the most power.
Let’s start talking about when an investigation will begin into how ICANN and it’s proponents have engaged in funding acts of domestic terror against the US in an attempt to force the relinquishment of control of the root servers that ICANN, Russia and China, along with France and other EU countries are drooling over in anticipation. It’s time to elevate the conversation, to an intelligent level, which leaves Edward Snowden frozen in RU, where he belongs.
The NSA “headfake” was always about forcing the US into releasing the internet. . .just like the Florida Gore/Bush “hanging chad”, was about transitioning to software based elections. Hmm. . .do you see a theme, yet?
The NSA wasn’t doing what Edward Snowden accused the agency of doing. Snowden and his club, knew the NSA couldn’t comment because of the nature of its’ work.
The European courts need to investigate who funded Edward Snowden, who funded “OpCharlieHedbo”. It’s doubtful they ever will, so here’s the spoiler alert. They would find that ICANN has dirty hands, is unsafe and unethical. The US would be remiss to release the internet to ICANN, the $99million asset laden non-profit, whose Pechora servers are in Russia.
It’s time to have a conversation based on facts, which must include how fortunate the US is to have the Intelligence Community that we have, of which the NSA is a part of. That conversation needs to focus on the US’s best interest . . which means leaving out ICANN, it’s anti-American agenda, it’s henchmen and the bogus Snowden lies which have been the foundation of the arguments to substantiate the assault on the NSA and the IC community. There’s no integrity in their argument, because the Snowden leak was staged. . .just like the “hanging chad”.
Let’s be honest about Snowden, he’s a fake and a traitor. He’s boring. Let’s stop giving him a platform. Move the focus to what’s productive, and discuss what needs to happen to protect our homeland and those who protect all of us. The most productive conversations will be about not releasing our internet to the wolf in sheep’s clothing. . .ICANN.
It’s not the NSA we need to fear. . .it’s ICANN everyone needs to stop trusting.
Alright, White House mass-mailing from today about what a great deal TPP is:
“But we rely on fair rules and a free and open Internet to provide the best service — and to reach those customers. And right now, there are obstacles to that very simple mission. For instance, some countries have tried to force business owners like me to physically locate our infrastructure (like our servers) in their country in order to serve their people. That would essentially bar small businesses like mine from selling to other markets.
That’s why it matters to me that the President has secured the Trans-Pacific Partnership – a trade agreement that levels the playing field for entrepreneurs like me so we can sell more Made-in-America products abroad and support more jobs here at home.
With the TPP, any entrepreneur can sell to anyone with an Internet connection in the countries that have signed on. That’s a huge deal for online businesses like mine — businesses that are becoming a bigger part of our nation’s economy.”
Now TPP isn’t TTIP, but it’s worth watching how quickly the same thing rears its head there. Actually, it occurs to me that you might be able to use the rate at which the EU moves toward actually banning the U.S. data storage as an indication of when the TTIP deal will be announced. They’ll stall as long as they have to … and that much only.
Meanwhile, the FBI says dozens — DOZENS — of Americans are having encrypted conversations with ISIS ( http://www.nbcnews.com/storyline/isis-terror/fbi-dozens-u-s-secret-conversations-isis-n440946 ). I have to say, I’m positively quaking in my shoes. The possibility that even ONE person might be having bad thoughts is enough to justify shackling the entire world and throwing it into the Pit, isn’t it?
But in English, what I suspect their statement means is that Syrians are ON OUR SITEZ DOWNLOADING OUR PR0N! And trying not to get beheaded for it.
“Although the safe harbor provision applies to commercial data” This is why. The NSA is spying on EU CITIZENS, not corporations so their not doing anything wrong. If our government can find a loophole they will and that’s a HUGE loophole. They spy on US citizens why on earth would any country think THEIR citizens are safe?
The USA is it’s worst enemy, or at least it’s military agencies are followed closely by the Congress.
US citizens don’t know what ID cards, ID tatoos mean as they haven’t been subjected to authoritarian outfits like Hitler’s Germany, or the French system or, indeed, those of Russia and China.
In China, most urban police types have very modern two-way radios complete with large screens and a card swipe. All citizens, and Foreigners, are supposed to carry ID. The card, or passport/visa, can be swiped and the subject’s history revealed.
This why citizens of other Western nations are alarmed at what US agencies are doing, coupled with the commercial sector.
What Britain’s GCHQ and MI agencies are doing is an anathema to the average UK citizens way of life. They make the worst lawyers respectable.
And despite all these precautions the 2001 NYC skyline alterations weren’t even detected until after the fact, as was the case with the London subway and bus bombings. Total wastes of money.
The US should back off, the only people they scare are their own citizens.
I share your opposition to this, but is the U.S. so much better? Police here are not known for taken “I’m not gonna tell you” for an answer, and some states – California I think – actually have passed mandatory-identification laws to formalize that.
Even ISIS is known for their computer-networked cops and “Crusader Database” with the names of Alawite/Shiite/etc. collaborators. If you’re there, don’t be in the Crusader Database. :(
Looking at the text of the ruling itself, I have to wonder if it is really something the U.S. can comply with. Or at least, it seems to say that even law enforcement activities have to be secondary to safe harbor provisions laid down by the E.U. , which seems unlikely to pass in even the most enlightened reform bill, and it also seems to say that the existing commission is simply not competent to override national decisions in the EU about the offshoring, which makes me think safe harbor is well and truly dead.
Now to be sure, not sending your data all over the planet seems like a step toward privacy, but when the spy network is so international, it’s not much of one. And it comes at a huge cost. I wonder how many of the IT layoffs in the U.S. I’ve seen in the past month were in expectation of this decision?
It would be far more effective if the companies would encrypt everything incredibly well and claim their offshore records were unbreakable, but who on Earth would believe they hadn’t cc’d someone the key?
Are you really trying to say the NSA can’t NOT spy on EU citizens? Really? This isn’t about companies being spied on it’s about the citizens being spied on. We ignored the spirit of the law and only followed the word of the law. They say they’re not spying indiscriminately, but everyone in the US knows that’s bullshit since they do it to us. It’s east not to spy on people VERY easy. It’s just not what the NSA wants to do.
Have you seen the range of discussion in Congress? Getting them to abandon NSA spying would be like a revolution, like setting the banks on fire, like taxing the rich, like ending all drug laws. But if you did that, the decision still speaks of law enforcement access, i.e. the CALEA sort of stuff that is nominally under control of the warrant system. Would the U.S. pass laws to make sure its legal warrants comply with EU safe harbor rules also?
The US doesn’t have to make their warrants comply with EU rules. It would be a huge step forward if US authorities were required to get a warrant *at all*.
The sad thing is, “reform” has the potential to be worse than the status quo. Consider the efforts to shoehorn mandatory data retention into the USA Freedom Act (see https://www.accessnow.org/blog/2014/06/25/mo-data-mo-problems ). Had that gone through, any European company whose data transited through the U.S. would have to worry about its data being released by any legal proceeding filed in the U.S. – an intolerable dilution of European countries’ sovereignty that would make the U.S. even more unreliable.
Is there any law the govt and business won’t break with impunity and then have their imbeciles in black robes legally justify the decision. How is the US behaving any different from a banana republic . They flout the constitutional principles upon which the country was founded and it takes an international court to tell them they went too far. Unbelievable!
You can say that again.
Thanks for reporting this Jenna
Mark, you’re right.
Gov & Corps have taken everything we trust and turned it into a scam for their own ends: we assume safe food, safe cars, safe investing, safe education or even safely going to a movie theatre but Gov&Corp farm our assumptions. We have thousands working in government departments and they do everything except their jobs. The police and military answer to no one and when questioned they investigate themselves and guess what – no culpability. The general idea is herd up the low and middle class, get them all on the internet, distract them with sports and TV, and run their scams. We left the British Empire for freedom and personal rights – now we’ve come full circle and we are the repressors.
As predicted The European Union is following the rest of the World in banning foreign spies from building secret citizen dossiers through corporate data mining.
While a great victory there are two other broad sweeping laws the USA Congress is set to vote on this fall. The secret trade agreement (TPP) allows corporation’s to search personal computers and report suspicions to the USA cybersecurity authorities under the new Cyber Intelligence Sharing and Protection Act (CISPA) law.
Before Snowden A.D. American corporations were allowed unfettered access by the USA government. When first confronted they too lied and said they weren’t working in partnership with the government.
Since then they have heavily advertised end-to-end encryption. However their invasive corporate terms-of-service allow THEM to collect the same data for the gov’t before its encrypted. These mass surveillance searches and data mining will be legally protected against all lawsuits under the CISPA. Here is the law. Note the scope is set extremely wide by including ALL type of trafficking.
“Amends the National Security Act of 1947 to require the Director of National Intelligence (DNI) to allow the intelligence community to share cyber threat intelligence with private-sector entities and utilities possessing appropriate certifications or security clearances.
Requires federal agencies receiving shared cyber threat information to establish procedures to: (1) ensure that real-time information is shared with appropriate national security agencies and distributed to other federal agencies; and (2) facilitate collaboration among federal, state, local, tribal, and territorial governments, cybersecurity providers, and self-protected entities.
Directs DHS, the Attorney General, the DNI, and the Department of Defense to establish procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the federal government.
Sets forth requirements for the use and protection of shared information, including: (1) anonymization or minimization procedures, (2) prohibitions on gaining a competitive advantage, (3) exemptions from public disclosure requirements if information is shared with the government, and (4) prohibitions on the use of such information for regulatory purposes. States that shared information may only be used by a non-federal recipient for a cybersecurity purpose.
Provides civil and criminal liability protections to cybersecurity providers, contracting entities, and self-protected entities acting in good faith to obtain or share threat information or to safeguard systems from threats.
Allows the federal government to use shared cyber threat information for: (1) cybersecurity purposes to ensure the integrity, confidentiality, availability, or safeguarding of a system or network; (2) cybersecurity crime investigations; or (3) protection of individuals from the danger of death or serious bodily harm and the prosecution of crimes involving such danger, including child pornography, sexual exploitation, kidnapping, and TRAFFICKING. Prohibits the federal government from affirmatively searching such information for any other purpose.
Notice the omission of terrorism and the inclusion of TRAFFICKING. Now the assumption of ANY behavior however small is reportable.
All Constitution rights are tossed (as we lie about bombing hospitals)
https://www.congress.gov/bill/114th-congress/house-bill/234
Study the many definitions of trafficking (crimes of commerence)
http://dictionary.reference.com/browse/trafficking
Internally, NSA executives are saying, “Let the media and the courts wring their hands over silly, already public, social-network data. It will be years before anybody suspects that we got the banks to send us every credit card transaction. Utah, here we come!”
J Yan, the snooping on the VISA and SWIFT network is very well publicly known.
There is ever growing list of reasons why the TTIP agreement is not a good idea. This EU court decisions could very well have resulted in a ISDS abitrage case.
I did morning round and the US big data lawyers are very pissed and depressed, better lock their access to firearms for a few days
When the USA on one hand promises “Honest , we won’t peek !” and on the other hand publically takes microsoft to court over data held in Ireland….
…well. they get what they deserve. Thanks for providing the evidence the Europeans need.
Surely it cannot be lost on thoughtful Americans that European legal institutions provide the very protections against warrant-less invasion of personal privacy rights which the US Constitution also promised in the plainest possible language of the Sixth Amendment. Wyden is one of the few remaining Senators worthy of elected office.
While Senator Wyden (my Senator, who is running for re-election) claimed the stage in fighting government surveillance, he seems soft on corporate surveillance.
I urge Intercept readers to watch this keynote speech by Maciej Ceglowski at last week’s Strata Hadoop big data conference. The best slide is his visualization exercise of Nixon in your datacenter with his laptop open.
https://www.oreilly.com/ideas/haunted-by-data
(text version) http://idlewords.com/talks/haunted_by_data.htm
His bio for the event:
Maciej Ceglowski is the founder and sole employee of Pinboard, a personal web archive and bookmarking site with an emphasis on user privacy. He’s been an outspoken advocate of small pay-for-service websites as an alternative to the hype and impermanance of Silicon Valley startup culture. He has also spoken extensively about the dangers of universal surveillance as a business model and the need to decentralize the Internet.
It doesn’t seem like the U.S. had a very good lawyer. Surely they could have argued that the NSA intercepts all the data long before it leaves Ireland!
If the NSA intercepts all data long before it leaves Ireland (and it does, it’d seem) and at every other point along the way (which it does, it’d seem, if what we’ve all been reading is true), then how can anybody possibly research, retain, obtain or speak with a lawyer that could in any way be unintercepted by the NSA, GCHQ, or any of the other partner agencies? Seems like a massive due process issue to me — or the ultimate sleeve card for a system completely out of control.
Being as some of us are mostly apolitical, I figure they’ll come for people like me first for not flying a flag and screaming the national anthem of their designated choosing (or any other one) — maybe if enough examples like that are gathered, it could be used to propose a precedent for why it’s important for people to be able to talk to lawyers, doctors, priests, journalists, and whomever else confidentiality is supposedly guaranteed without, you know, it ALL being slurped up by the powerful with the gusto paid typically to a massive bowl of noodles.
I can’t figure out why the ACLU and its partner organizations aren’t paying more attention to this matter. Then again, I have no idea how they could, either.
Isn’t that a bit, well, beyond unfair?