The spread of knowledge about the NSA's surveillance programs has shaken the trust of customers in U.S. Internet companies like Facebook, Google, and Apple: especially non-U.S. customers who have discovered how weak the legal protections over their data is under U.S. law. It should come as no surprise, then, that the European Court of Justice (CJEU) has decided that United States companies can no longer be automatically trusted with the personal data of Europeans.
The court, by declaring invalid the safe harbor which currently permits a sizeable amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law. In the word's of the court's press release:
The Court [states] that legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
The EU's data protection directive forbids the personal data to be moved out of the EU to jurisdictions without adequate privacy protections. Since 1998, the United States and the EU agreed to a “safe harbor” framework which allowed signatory U.S. companies to transfer data across the Atlantic as long as they comply with a set of privacy principles. Whether this “safe harbor” truly protects EU personal data, however, has long been questioned.
Max Schrems, a tireless Austrian privacy activist, has been pursuing U.S. companies for violations of EU privacy law and the safe harbor provisions since 2011. In a series of complaints to multiple national data protection authorities, he argued that PRISM and similar surveillance programs demolished the assurances made in the safe harbor agreement. The Irish data protection regulators refused to address his complaint, so Schrems took his case to the Irish courts. They in turn referred elements of the case to the European Court of Justice, which announced its decision today.
The CJEU rejected the Irish data protection authority's argument that the safe harbor agreement by the Commission meant that it could not investigate whether American companies complied with the data protection directive. It did concede, however, that national authorities could not throw out the safe harbor entirely. Only the CJEU could do that, it decided. And then, based on its analysis of the NSA surveillance program, it did just that.
It's not as if the United States government could not have seen this coming. For the last two years, major tech companies, including Facebook and Google, have told American politicians that without reform of the NSA's global surveillance programs, they risked "breaking the Internet".
Since then, little has been done to fix the international aspects of the NSA's mass surveillance programs. With a continuing stream of stories about the U.S., the United Kingdom and other intelligence services' collection of European citizens’ data, it's not surprising that confidence in the ability of US companies to protect their users' data to European data protection standards has plummeted.
What happens next depends on the response of the U.S. government, and the outcome of the many other potential legal challenges to Facebook, Apple, Google and other companies' handling of European personal data that this decision now permits. Schrems himself writes that he believes that the decision won't have an immediately disruptive effect on everyday Internet activities:
"There are still a number of alternative options to transfer data from the EU to the US. The judgement makes it clear that now national data protection authorities can review data transfers to the US in each individual case – while the "safe harbor" allowed for a blanket allowance. Despite some alarmist comments I don’t think that we will see mayor disruptions in practice.”
However, if those reviews continue to run against the fundamental incompatibility of U.S. mass surveillance with European data protection principles, the end result may well be a growing restriction of the commercial processing of European users' data to within the bounds of the European Union.
That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you'll find the NSA—or other European states, or even your own government— breaking into those systems to extract it.
What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.
There's only one way forward to end this battle in a way that keeps the Internet open and preserves everyone's privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.
For the United States, that means reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333. These are the secretive and overbroad regulations that permit NSA to use PRISM and a raft of other programs to spy on Europe and beyond. Equally important, the United States must revisit the laws, regulations, and institutional processes that allow these programs to fester in the dark, largely unaccountable to the public. It is the failure of these laws to adequately rein in the intelligence services that led to this case, and will lead to many more.