As expected, the European Union court has thrown out an agreement, forged in 2000, that allows virtually uninhibited data sharing and transfer between the United States and EU countries and is the legal basis for National Security Agency’s on-line surveillance and data capture programs.
The Court’s decision is binding on all EU members and violation of its decisions could end in punitive measures including fines and trade restrictions.
EU Court Chief Justice Koen Lenaerts
The decision validates an opinion issued by the EU Court’s Advocate General last month that the Safe Harbor Framework — a group of trade regulations approved by the EU in 2000 — violates the laws of various EU member countries and the EU’s 2009 Charter of Fundamental Rights.
Essentially, Safe Harbor allows the United States to retrieve huge amounts of data from servers and other storage devices in a European country without having to worry about the country’s privacy laws, which are frequently stricter than those in the United States and are now uniformly compliant with the 2009 Charter. In fact, since these are American officials operating abroad, they don’t have to worry about U.S. privacy laws either because these don’t apply to activities outside the U.S.
Since much of the data from users of services like Google (including Gmail), Apple and Facebook (as well as 4500 other companies and agencies) is stored in Europe, which is more cost-effective than in the U.S., the NSA was capturing most data without any constraint. That, now, has ended.
The opinion issued by Advocate General Yves Bot last month was a response to a case brought by Austrian technologist Maximillian Schrems. Schrems used information made public by whistle-blower Edward Snowden to demonstrate that the NSA’s PRISM program, the agency’s main data collection program, was effectively illegal in much of Europe and Safe Harbor was actually facilitating a crime.
After being turned down by Ireland’s courts — the European division of Facebook, the lawsuit’s initial target, is based in Ireland — Schrems took his case to the EU courts which almost immediately saw a major contradiction in the Safe Harbor Framework.
The problem is, in part, one of intent. Safe Harbor was actually a trade framework that allows companies and government trade sections to move information back and forth with impugnity: a freedom all the participating governments thought necessary to facilitate business in an increasingly digital economy.
But the NSA had other plans. Seeing the potential of the Safe Harbor system, and knowing how important digital data would become to surveillance, the NSA almost immediately began developing ways to exploit Safe Harbor. Since U.S. Internet users’ data was increasingly being stored in Europe, surveillance would be enhanced by using Safe Harbor’s unencumbered data transfer regulations to pull data from those European storage devices. There was no need for a court order and they didn’t have to inform the owner of the data. The PRISM program is dedicated almost exclusively to that kind of data capture.
The Court has now declared such capture illegal. Not to say that PRISM and other data capture programs won’t continue — the NSA will certainly not let this decision stop its spying. But spy programs using Safe Harbor are now illegal.
“It’s regulatory roulette,” Trevor Hughes, president and chief executive of the International Association of Privacy Professionals, told the Washington Post. “What we see is that a major mechanism for allowing those data transfers to occur has now gone away. Those data transfers are not going to stop. However, many companies today are now likely out of compliance with the expectations of European law, which opens them to regulatory enforcement in Europe and elsewhere.”
The question really is what will the opposition movements of the U.S. and Europe do about this because, while the court decision doesn’t stop surveillance, it now clearly makes it illegal and vulnerable to legal challenge.