European Court Of Justice Shoots Down Safe Harbor, Vindicates Snowden
The European Court of Justice issued a ruling that essentially lobs a hand grenade into the debate over surveillance:
“The European Court of Justice, Europe’s highest court, has just shot down the Safe Harbor, an arrangement between the European Union and the United States allowing for the transfer of personal data, in a case against Facebook. This has the potential to transform arguments between the E.U. and United States over privacy and surveillance. . . The European Court of Justice has found that U.S. surveillance breaches the fundamental rights of European citizens.”
Safe Harbor was a compromise agreement between the EU and the US regarding the transfer of data on EU citizens outside of Europe:
“In the 1990s, European officials feared that businesses could take data on E.U. citizens out of Europe, and do whatever they wanted with it abroad. They tried to push the United States to introduce new laws protecting the information of European citizens. The United States wasn’t willing to do this. However, after difficult negotiations (which one of us describes here), they came up with a compromise: the Safe Harbor. Businesses that want to export data can commit to the ‘principles’ of the Safe Harbor, which are watered down versions of European privacy law. If they break their commitments, they may be liable to sanctions from a self-regulatory organization or the Federal Trade Commission.”
There was one catch in the agreement: when US surveillance laws come into conflict with the agreement, US laws always win. This made the agreement somewhat useless when it came to actually protecting the privacy of EU citizens, hence the ruling by the European Court of Justice.
This is good news for those who care about privacy and who found Edward Snowden’s revelations about the massive overreach of the National Security Agency to be distressing. And it is going to mean big changes in the future, specifically for any businesses with customers in the EU:
“So what happens next, from the tech industry perspective? The judgement opens U.S. Internet businesses with users in Europe to privacy challenges if they are processing E.U. data in the U.S. The court has not allowed for a transitionary period, which may accelerate moves by U.S. Internet companies to adopt strong encryption — something we have already been seeing in the wake of the Snowden revelations. Or else companies will need to restructure their European data processing operations — such as building European data centers to process regional data — although such shifts might require other significant procedural changes in how they manage user data flows, so could entail significant time and expense.”
But it can also signal a change in surveillance practices within the United States. Unless companies opt to offer separate tiers of privacy protection for US and EU citizens, it will mean that those of us in America can reap the benefits of this ruling. And, since the US and EU must now negotiate a replacement to the Safe Harbor agreement, one that will actually protect the privacy of the people, this is an opportunity for our country to do a bit more than pay lip service to privacy and set aside nonsensical reassurances that “If you have nothing to hide, you have nothing to fear.”
The Transatlantic Consumer Dialogue, a pro-privacy organization, has called for the US to enact sweeping data protection rules:
“To this end, TACD calls on the US to ratify the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) which forms a ready basis for such a framework. It is also more than high time for the United States to enact a comprehensive set of data protection rules, to bring it in line with 100 plus other countries round the world. In the absence of legislation, the US cannot offer the EU any assurance that there will be adequate protection for the personal data stored or used by US companies.”
This is a huge victory for opponents of the overly broad surveillance that governments all over the world have engaged in for the last decade. And, more importantly, it represents vindication for Snowden. Had it not been for his revelations, there would have been no heightened scrutiny of surveillance practices, and this case would never have happened. For all the blather and bluster about Snowden being a traitor and a spy, his revelations paved the way for the European Court of Justice’s ruling and could usher in an era of wider protections against indiscriminate surveillance.
It has been an unfortunate fact that oversight of surveillance, in the US, has yet to move into the world of the Internet. Surveillance is still regulated by the antiquated Electronic Communications Privacy Act. The post-911 hysteria that resulted in the absurd overreach of the Patriot Act only served to lessen privacy protections for the average citizen. That unfortunate fact may finally change, thanks to Snowden and the European Court of Justice. We may finally be reaching the end of the era of the Patriot Act and of indiscriminate surveillance. The United States may actually join the rest of the world in offering robust and real privacy protection to its people. And that is a very good thing indeed.
Image: Flickr Creative Commons