Snowden Blowback: EU Invalidates Safe Harbor Agreement for Data

The EU Court of Justice threw out a 15 year old safe harbor agreement with the US over concerns that US surveillance of Internet data was violating EU citizens' rights.
The EU Court of Justice threw out a 15 year old safe harbor agreement with the US over concerns that US surveillance of Internet data was violating EU citizens’ rights.

In-brief: Citing the danger of pervasive government surveillance, the European Union abandoned a 15 year-old agreement on data sharing that is one of the underpinnings of the global information commerce. 

Citing the danger of pervasive government surveillance, the European Union abandoned a 15 year-old agreement on data sharing that is one of the underpinnings of the global information commerce. 

In a ruling Tuesday, The Court of Justice of the European Union withdrew from a bilateral agreement that has governed transmissions of personal data between companies in the EU and the US since the turn of the Millennium, declaring the US-EU Safe Harbor agreement invalid, citing “mass and indiscriminate surveillance and interception” of EU residents data by U.S. intelligence and law enforcement agencies.

The ruling, by Advocate General Yves Bot, sent shock waves through the information technology industry on both sides of the Atlantic, where most companies of even modest size are likely to service customers in EU member nations. The ruling also complicates firms globally, who have come to rely on cloud-based infrastructure such as that offered by Amazon that takes for granted the free and unencumbered movement of data between the EU and US.  The decision follows an opinion on September 23, also authored by Bot, that presaged much of the full Court’s final ruling.

The ruling stems from a 2013 complaint filed by Maximilian Schrems, an Austrian national and Facebook user who asked the EU’s Data Protection Commissioner to investigate whether the United States was upholding its end of the safe harbor agreement by protecting EU citizens data. Schrems complaint followed revelations made by Edward Snowden concerning Operation PRISM and other surveillance programs carried out by the U.S. National Security Agency (NSA).

The Court agreed with Mr. Schrems, with Advocate General Bot writing that “the revelations made by Edward Snowden (demonstrate) a significant over-reach on the part of the NSA and other similar agencies.” Despite procedural checks on the NSA, like the US’s Foreign Intelligence Surveillance Court (‘the FISC’), citizens of the European Union have “no effective right to be heard on the question of the surveillance and interception of their data,” Bot concluded.

Speaking via Twitter on Tuesday, Schrems celebrated the ruling. “*YAY* #CJEU on #SafeHarbor: SH invalid. DPC had to investigate. #EUdataP”

But reaction to the ruling from both the legal and technology communities was mixed. Privacy advocates, including the Electronic Frontier Foundation in the U.S. celebrated the ruling.

“The court, by declaring invalid the safe harbor which currently permits a sizeable (sp) amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law,” wrote the EFF’s Danny O’Brien in a blog post.

The ruling by the EU shouldn’t have come as a surprise, following the revelations stemming from Edward Snowden’s theft of classified data from the NSA. However, O’Brien notes that the ruling highlights Washington D.C. lawmakers paralysis in the wake of the Snowden leaks that have made even common sense policy fixes for the NSA’s ham-fisted monitoring impossible.

“What happens next depends on the response of the U.S. government, and the outcome of the many other potential legal challenges to Facebook, Apple, Google and other companies’ handling of European personal data that this decision now permit,” he wrote.