Safe Harbor Fails, European Court Rules

The European Court of Justice has invalidated the Safe Harbor Framework as a way to comply with EU data laws.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 6, 2015

4 Min Read
<p style="text-align:left">(Image: <a href="http://curia.europa.eu/jcms/jcms/Jo2_7055/#4"target="blank">ECJ</a>)</p>

Crisis Response: 6 Ways Big Data Can Help

Crisis Response: 6 Ways Big Data Can Help


Crisis Response: 6 Ways Big Data Can Help (Click image for larger view and slideshow.)

Through indiscriminate surveillance, the US National Security Agency managed to break the Internet. On Tuesday, Oct. 6, the European Court of Justice ruled that the Safe Harbor Framework, which allowed US companies to transfer data outside the European Union by declaring compliance with EU data laws, is invalid.

The ECJ decision comes from a case brought by Austrian privacy activist Max Schrems, who objected to Facebook's transfer of data from its servers in Ireland to the US. Schrems complained to Ireland's Data Protection Commissioner that in light of Edward Snowden's 2013 revelations about the scope of data gathering by the NSA, the Safe Harbor regime failed to provide data with the protection required under European law.

The US Mission to the European Union, in an effort to avoid such a decision, last week issued a statement urging the ECJ to preserve the Safe Harbor Framework and insisting that its intelligence gathering is targeted. "The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens," the US Mission said.

How the US defines "targeted" and "indiscriminate" remains open to question. According to The Washington Post, the NSA built a surveillance system capable of recording all the phone calls in a foreign country and storing those calls for a month. The NSA also had an order requiring Verizon to provide metadata for every call to, from, or within the US on an ongoing basis.

The ECJ accepts the High Court of Ireland's evaluation of US intelligence gathering in the context of data protection assurances. "Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation (FBI), in the course of the indiscriminate surveillance and interception carried out by them on a large scale," the ECJ ruling states.

In a statement posted on his website Schrems welcomed the decision. "This judgement draws a clear line," he said. "It clarifies that mass surveillance violates our fundamental rights. ... The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it."

Google executive chairman Eric Schmidt last year urged the US government to enact surveillance reforms to avoid this possibility. "We're going to end up breaking the Internet," he warned at a 2014 Silicon Valley event, because other governments were likely to respond to unrestrained surveillance.

The US tech industry has been struggling regain the trust of foreign citizens, businesses, and governments, many of which have come to doubt corporate data-protection promises. At the same time, these companies face demands for data from governments abroad that want the level of access enjoyed by US authorities.

[Read more about the issues surrounding global data collection.]

Daniel Castro, VP of the Information Technology and Innovation Foundation, a tech industry advocacy group, decried the ECJ decision. "Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce," he said in a statement. "Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that we do not shut down transatlantic digital commerce overnight."

The situation may not be that dire. In his initial analysis of the decision, Schrems discounted alarmist scenarios and said that the judgment is fairly narrow, applying to the outsourcing of EU data processing operations to US companies. Internet users aren't likely to confront restrictions as a consequence of the ruling, he said.

However, Schrems anticipates that US law will have to change to meet EU requirements, and that US companies enabling mass surveillance may face legal consequences, depending on how EU data protection authorities view such cooperation.

The US Federal Trade Commission did not immediately respond to a request for comment.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights