How NSA Surveillance May Result In Fragmenting The Internet: EU Court Leaning Towards Ending 'Privacy Safe Harbor'

from the this-could-be-a-mess dept

If you haven't dealt with it, the "EU-US data protection safe harbor" is somewhat confusing to deal with. The basics, however, are that under an agreement between the US and the EU, if US companies wish to transfer data out of Europe and to American servers, they have to abide by this "safe harbor" process, whereby they agree to take certain steps to keep that data safe and out of prying eyes. The process itself is something of a joke (we at Techdirt have actually gone through it to make sure we weren't violating the law -- though I imagine many small American internet companies don't even know it exists). You basically have to pay a company to declare you in compliance, which in reality often just means that the company reviews your terms of service/privacy policy to make sure it has specific language in it. There have been plenty of (potentially reasonable) complaints out of the EU that the safe harbor process doesn't actually do much to protect Europeans' data. That may be true, but the flipside of it isn't great either. Without the safe harbor framework, it's possible that it would be much more difficult for American internet companies to operate in Europe -- or for Europeans to use American internet companies. Some in Europe may think that's a good idea, until they suddenly can't use large parts of the internet.

Either way, the whole safe harbor system has come under attack on a variety of fronts, and it looks close to breaking... all because of the NSA. Max Schrems, who made news back in 2011 by asking Facebook for a copy of all the data it had on him, argued that the NSA's PRISM surveillance program violated EU data protection rules. The European Court of Justice's Advocate General, Yves Bot, has now sided with Schrems and basically said that the NSA surveillance has made the safe harbor process invalid.

The European Court of Justice still needs to come out with its final decision, but it usually (though not always!) agrees with the Advocate General's recommendation. Here, the Advocate General basically says that NSA surveillance has completely undermined the idea that the US can keep Europeans' data safe, and thus the safe harbor cannot stand.

According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance. Indeed, the access which the United States intelligence authorities may have to the personal data covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued. The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.

In short, thanks to indiscriminate mass surveillance by the NSA, we may witness a fractured and fragmented internet. That's a big deal.

The EU Commission and the US have been negotiating for a while to change the EU-US Safe Harbor setup anyway, so it's possible that even if the court follows the Advocate General's suggestion, a new, more acceptable, safe harbor process will be put in place. But, in the short term, this could create quite a mess for the internet. Once again, we see how the NSA's actions, which it claims are to "protect" America could end up doing massive economic damage to the internet.

Filed Under: advocate general, cjeu, data privacy, eu, eu court of justice, eucj, fragmentation, localization, max schrem, nsa, privacy, safe harbor, surveillance