Safe Harbor: How an EU court aims to protect citizens from NSA snooping
In the latest aftershock of revelations two years ago about widespread US government surveillance, a European court ruled on Tuesday that a 15-year-old law that governs how American tech firms handle Europeans' personal data is invalid.
The sweeping , hotly anticipated on both sides of the Atlantic, will likely send Silicon Valley giants such as Facebook, Microsoft, and Google back to the drawing board to renegotiate how data collected outside of the United States is used and shared inside the US.
Tuesday鈥檚 ruling by the European Court of Justice was preceded on Sept. 23 by a by the court鈥檚 top lawyer, Advocate General Yves Bot, finding that the so-called 鈥淪afe Harbor鈥 scheme did not adequately protect the data of European citizens who used services such as Facebook, making their information subject to US intelligence gathering by the National Security Agency.
"The United States Safe Harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons," the court found. 聽
Safe Harbor protocols, which are used by about 4,500 US companies with operations in Europe for a wide range of data transfer tasks 鈥 such as the processing of employee records 鈥 do not provide 聽鈥渆ffective legal protection against the interference [by the US government],鈥 the court says.
The ruling will not stop the data transfers entirely, but will likely force firms that do large amounts of business in Europe to scramble to negotiate a new agreement, observers say.
鈥淚t鈥檚 worrying for US companies, because they all use Safe Harbor ... and now they need to be on the lookout for a new approach to 'legitimize' the data transfers,鈥 says Susan Foster, an attorney focused on for the law firm Mintz Levin.
The decision puts particular pressure on Facebook鈥檚 operations in Europe, which are based in Ireland, because the court upheld a claim by Max Schrems, an Austrian law student and privacy advocate, that the the Irish data protection commissioner should be able to investigate his claim that Facebook is exposing his data to allegedly indiscriminate US surveillance.
Mr. Schrems had filed the claim in the wake of disclosures by former NSA contractor Edward Snowden that Facebook was making all of its data 鈥 including that of European users 鈥 available to the spy agency through its PRISM surveillance program, a charge Facebook denies.
On Tuesday, Schrems called the court鈥檚 ruling 鈥減erfect.鈥 鈥淭his doesn鈥檛 mean data flows are illegal overnight,鈥 he the Irish Times, 鈥渂ut it means national data protection commissioners can take action to stop things.鈥
Questions about the nature of the US surveillance program are at the heart of the debate. Is it broad and indiscriminate about the data collected, as Mr. Snowden has said, or precisely targeted to focus on particular goals, such as combating terrorism, as the intelligence community ?
Dr. Foster, who is based in London, argues the court鈥檚 ruling doesn鈥檛 fully address this point, calling it a missed opportunity. 聽
鈥淥ne problem with this decision is that it takes the media reports about PRISM as fact,鈥 she says, noting that Facebook and the US government have been mysteriously silent as the court pondered the Schrems case, which originated in a court in Ireland, leading to speculation that the company may be under a gag order forbidding it to talk directly about the case.
Now, she says, companies must take the court鈥檚 ruling as binding if other European citizens launch cases against them regarding the use of their data. 鈥淭hat has really fallen by the wayside,鈥 she adds.
Other observers agree, saying tech companies based in the US 鈥 under threat of additional lawsuits regarding how they use data 鈥 would likely begin lobbying Congress to work with European Union officials to reestablish a data sharing agreement.
鈥淭he emphasis isn鈥檛 going to come from the private citizen, it鈥檚 going to come from companies,鈥 says Jim Kinsella, a former Microsoft executive who now runs a cloud data storage company called Zettabox based in Europe, in an interview before the decision was announced.
鈥淭hey should be concerned, because that鈥檚 exactly what鈥檚 going to happen, companies are going to find themselves having to defend their choices about where they place their data,鈥 he adds. 鈥淚 think American companies are very angry about it. [They鈥檙e saying] that, 鈥榊ou, US government, are making us look untrustworthy.鈥欌
Previously, tech companies have strongly denied being involved in government surveillance.
Mark Zuckerberg, Facebook鈥檚 head, dismissed reports that the company was involved in mass surveillance as 鈥渙utrageous,鈥 in on the social media site in 2013.
鈥淲e have never received a blanket request or court order from any government agency asking for information or metadata in bulk,鈥 he wrote. 鈥淎nd if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday.鈥
But Mr. Kinsella says where data is stored could play a particular role in how companies deal with fallout of the court鈥檚 decision.
Currently, companies headquartered in the US must comply with government requests for data stored internationally, which often come through a subpoena. But under European laws, cloud-based computing companies headquartered in Europe that serve as the primary 鈥渄ata controller鈥 would not need to respond to a US request for information.
That loophole could allow companies such as Kinsella鈥檚 Zettabox to act as intermediaries to store data in Europe outside of the reach of US surveillance. He said one small social media company headquartered in the US, which he declined to name, had reached out to the company about storing data using Zettabox鈥檚 servers.
鈥淐an Microsoft or Facebook essentially contract out to somebody in Europe to be the data controller? I think the answer on the face of it is, yes, you could do that,鈥 he says, noting that Microsoft had with a company in China to store data separately from the company鈥檚 own servers.
In Europe, Microsoft had EU officials approve its cloud computing contracts separately, which allows it to go around the Safe Harbor protections, the Wall Street Journal .
In a press conference following the announcement of the court鈥檚 decision, European officials emphasized that they were working with data protection agencies from each member state on guidelines that would address transatlantic data transfer now that Safe Harbor is invalid, the 海角大神 Science Monitor鈥檚 Passcode reported.
Currently, data transfers involving performing a contract or service, such as booking a hotel room, is still allowed between the EU and the US, Passcode notes, 鈥淪imilarly, public interest data and personal medical records can be transferred with proper consent."
Foster, the privacy lawyer, says it was still early to tell exactly what impact the decision would have on how companies dealt with data transfers, but she called the decision 鈥渧ery sweeping.鈥
鈥淭he balance of power between the [European] commission and national data protection centers is reset, with most of the power going to the commission,鈥 she said. 鈥淸The court] went as far they could.鈥
