Safe Harbor Fails, European Court Rules

The European Court of Justice has invalidated the Safe Harbor Framework as a way to comply with EU data laws.
Crisis Response: 6 Ways Big Data Can Help
Crisis Response: 6 Ways Big Data Can Help
(Click image for larger view and slideshow.)

Through indiscriminate surveillance, the US National Security Agency managed to break the Internet. On Tuesday, Oct. 6, the European Court of Justice ruled that the Safe Harbor Framework, which allowed US companies to transfer data outside the European Union by declaring compliance with EU data laws, is invalid.

The ECJ decision comes from a case brought by Austrian privacy activist Max Schrems, who objected to Facebook's transfer of data from its servers in Ireland to the US. Schrems complained to Ireland's Data Protection Commissioner that in light of Edward Snowden's 2013 revelations about the scope of data gathering by the NSA, the Safe Harbor regime failed to provide data with the protection required under European law.

The US Mission to the European Union, in an effort to avoid such a decision, last week issued a statement urging the ECJ to preserve the Safe Harbor Framework and insisting that its intelligence gathering is targeted. "The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens," the US Mission said.

How the US defines "targeted" and "indiscriminate" remains open to question. According to The Washington Post, the NSA built a surveillance system capable of recording all the phone calls in a foreign country and storing those calls for a month. The NSA also had an order requiring Verizon to provide metadata for every call to, from, or within the US on an ongoing basis.

The ECJ accepts the High Court of Ireland's evaluation of US intelligence gathering in the context of data protection assurances. "Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation (FBI), in the course of the indiscriminate surveillance and interception carried out by them on a large scale," the ECJ ruling states.

In a statement posted on his website Schrems welcomed the decision. "This judgement draws a clear line," he said. "It clarifies that mass surveillance violates our fundamental rights. ... The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it."

Google executive chairman Eric Schmidt last year urged the US government to enact surveillance reforms to avoid this possibility. "We're going to end up breaking the Internet," he warned at a 2014 Silicon Valley event, because other governments were likely to respond to unrestrained surveillance.

The US tech industry has been struggling regain the trust of foreign citizens, businesses, and governments, many of which have come to doubt corporate data-protection promises. At the same time, these companies face demands for data from governments abroad that want the level of access enjoyed by US authorities.

[Read more about the issues surrounding global data collection.]

Daniel Castro, VP of the Information Technology and Innovation Foundation, a tech industry advocacy group, decried the ECJ decision. "Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce," he said in a statement. "Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that we do not shut down transatlantic digital commerce overnight."

The situation may not be that dire. In his initial analysis of the decision, Schrems discounted alarmist scenarios and said that the judgment is fairly narrow, applying to the outsourcing of EU data processing operations to US companies. Internet users aren't likely to confront restrictions as a consequence of the ruling, he said.

However, Schrems anticipates that US law will have to change to meet EU requirements, and that US companies enabling mass surveillance may face legal consequences, depending on how EU data protection authorities view such cooperation.

The US Federal Trade Commission did not immediately respond to a request for comment.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing