Safe Harbor Fails, European Court Rules - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
10/6/2015
04:06 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Safe Harbor Fails, European Court Rules

The European Court of Justice has invalidated the Safe Harbor Framework as a way to comply with EU data laws.

Crisis Response: 6 Ways Big Data Can Help
Crisis Response: 6 Ways Big Data Can Help
(Click image for larger view and slideshow.)

Through indiscriminate surveillance, the US National Security Agency managed to break the Internet. On Tuesday, Oct. 6, the European Court of Justice ruled that the Safe Harbor Framework, which allowed US companies to transfer data outside the European Union by declaring compliance with EU data laws, is invalid.

The ECJ decision comes from a case brought by Austrian privacy activist Max Schrems, who objected to Facebook's transfer of data from its servers in Ireland to the US. Schrems complained to Ireland's Data Protection Commissioner that in light of Edward Snowden's 2013 revelations about the scope of data gathering by the NSA, the Safe Harbor regime failed to provide data with the protection required under European law.

The US Mission to the European Union, in an effort to avoid such a decision, last week issued a statement urging the ECJ to preserve the Safe Harbor Framework and insisting that its intelligence gathering is targeted. "The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens," the US Mission said.

How the US defines "targeted" and "indiscriminate" remains open to question. According to The Washington Post, the NSA built a surveillance system capable of recording all the phone calls in a foreign country and storing those calls for a month. The NSA also had an order requiring Verizon to provide metadata for every call to, from, or within the US on an ongoing basis.

(Image: ECJ)

(Image: ECJ)

The ECJ accepts the High Court of Ireland's evaluation of US intelligence gathering in the context of data protection assurances. "Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation (FBI), in the course of the indiscriminate surveillance and interception carried out by them on a large scale," the ECJ ruling states.

In a statement posted on his website Schrems welcomed the decision. "This judgement draws a clear line," he said. "It clarifies that mass surveillance violates our fundamental rights. ... The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it."

Google executive chairman Eric Schmidt last year urged the US government to enact surveillance reforms to avoid this possibility. "We're going to end up breaking the Internet," he warned at a 2014 Silicon Valley event, because other governments were likely to respond to unrestrained surveillance.

The US tech industry has been struggling regain the trust of foreign citizens, businesses, and governments, many of which have come to doubt corporate data-protection promises. At the same time, these companies face demands for data from governments abroad that want the level of access enjoyed by US authorities.

[Read more about the issues surrounding global data collection.]

Daniel Castro, VP of the Information Technology and Innovation Foundation, a tech industry advocacy group, decried the ECJ decision. "Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce," he said in a statement. "Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that we do not shut down transatlantic digital commerce overnight."

The situation may not be that dire. In his initial analysis of the decision, Schrems discounted alarmist scenarios and said that the judgment is fairly narrow, applying to the outsourcing of EU data processing operations to US companies. Internet users aren't likely to confront restrictions as a consequence of the ruling, he said.

However, Schrems anticipates that US law will have to change to meet EU requirements, and that US companies enabling mass surveillance may face legal consequences, depending on how EU data protection authorities view such cooperation.

The US Federal Trade Commission did not immediately respond to a request for comment.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
10/6/2015 | 10:49:56 PM
US law will have to change to meet EU requirements - Yeah, right.
Yes, we'll have to comply with EU law. And what will they do if we don't, not allow us to protect them from Russia any longer? Bring it on! And, if they refuse to let our companies to compete for their DP work on an open basis, there will be an unstoppable demand here in the US to restrict their access to our markets in return.
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Commentary
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
News
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll