Safe Harbor Fails, European Court Rules - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
04:06 PM
Connect Directly

Safe Harbor Fails, European Court Rules

The European Court of Justice has invalidated the Safe Harbor Framework as a way to comply with EU data laws.

Crisis Response: 6 Ways Big Data Can Help
Crisis Response: 6 Ways Big Data Can Help
(Click image for larger view and slideshow.)

Through indiscriminate surveillance, the US National Security Agency managed to break the Internet. On Tuesday, Oct. 6, the European Court of Justice ruled that the Safe Harbor Framework, which allowed US companies to transfer data outside the European Union by declaring compliance with EU data laws, is invalid.

The ECJ decision comes from a case brought by Austrian privacy activist Max Schrems, who objected to Facebook's transfer of data from its servers in Ireland to the US. Schrems complained to Ireland's Data Protection Commissioner that in light of Edward Snowden's 2013 revelations about the scope of data gathering by the NSA, the Safe Harbor regime failed to provide data with the protection required under European law.

The US Mission to the European Union, in an effort to avoid such a decision, last week issued a statement urging the ECJ to preserve the Safe Harbor Framework and insisting that its intelligence gathering is targeted. "The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens," the US Mission said.

How the US defines "targeted" and "indiscriminate" remains open to question. According to The Washington Post, the NSA built a surveillance system capable of recording all the phone calls in a foreign country and storing those calls for a month. The NSA also had an order requiring Verizon to provide metadata for every call to, from, or within the US on an ongoing basis.

(Image: ECJ)

(Image: ECJ)

The ECJ accepts the High Court of Ireland's evaluation of US intelligence gathering in the context of data protection assurances. "Once the personal data has been transferred to the United States, it is capable of being accessed by the NSA and other federal agencies, such as the Federal Bureau of Investigation (FBI), in the course of the indiscriminate surveillance and interception carried out by them on a large scale," the ECJ ruling states.

In a statement posted on his website Schrems welcomed the decision. "This judgement draws a clear line," he said. "It clarifies that mass surveillance violates our fundamental rights. ... The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it."

Google executive chairman Eric Schmidt last year urged the US government to enact surveillance reforms to avoid this possibility. "We're going to end up breaking the Internet," he warned at a 2014 Silicon Valley event, because other governments were likely to respond to unrestrained surveillance.

The US tech industry has been struggling regain the trust of foreign citizens, businesses, and governments, many of which have come to doubt corporate data-protection promises. At the same time, these companies face demands for data from governments abroad that want the level of access enjoyed by US authorities.

[Read more about the issues surrounding global data collection.]

Daniel Castro, VP of the Information Technology and Innovation Foundation, a tech industry advocacy group, decried the ECJ decision. "Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce," he said in a statement. "Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that we do not shut down transatlantic digital commerce overnight."

The situation may not be that dire. In his initial analysis of the decision, Schrems discounted alarmist scenarios and said that the judgment is fairly narrow, applying to the outsourcing of EU data processing operations to US companies. Internet users aren't likely to confront restrictions as a consequence of the ruling, he said.

However, Schrems anticipates that US law will have to change to meet EU requirements, and that US companies enabling mass surveillance may face legal consequences, depending on how EU data protection authorities view such cooperation.

The US Federal Trade Commission did not immediately respond to a request for comment.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll