Safe Harbor: How an EU court aims to protect citizens from NSA snooping

On Tuesday, the European Court of Justice ruled that a 15-year-old law called Safe Harbor that governs how many US tech firms transfer Europeans' data to the US is invalid, likely forcing companies like Facebook and Google to revamp how they deal with users' data.

The European Court of Justice on Tuesday invalidated a long-standing "safe harbor" law governing how data is transferred between the US and Europe. The case was brought by Max Schrems, left, an Austrian privacy advocate, seen here with his lawyer Herwig Hofmann outside a courtroom after the court's ruling in Luxembourg.

Geert Vanden Wijngaert/AP

October 6, 2015

In the latest aftershock of revelations two years ago about widespread US government surveillance, a European court ruled on Tuesday that a 15-year-old law that governs how American tech firms handle Europeans' personal data is invalid.

The sweeping decision, hotly anticipated on both sides of the Atlantic, will likely send Silicon Valley giants such as Facebook, Microsoft, and Google back to the drawing board to renegotiate how data collected outside of the United States is used and shared inside the US.

Tuesday’s ruling by the European Court of Justice was preceded on Sept. 23 by a scathing opinion by the court’s top lawyer, Advocate General Yves Bot, finding that the so-called “Safe Harbor” scheme did not adequately protect the data of European citizens who used services such as Facebook, making their information subject to US intelligence gathering by the National Security Agency.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

"The United States Safe Harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons," the court found.  

Safe Harbor protocols, which are used by about 4,500 US companies with operations in Europe for a wide range of data transfer tasks – such as the processing of employee records – do not provide  “effective legal protection against the interference [by the US government],” the court says.

The ruling will not stop the data transfers entirely, but will likely force firms that do large amounts of business in Europe to scramble to negotiate a new agreement, observers say.

“It’s worrying for US companies, because they all use Safe Harbor ... and now they need to be on the lookout for a new approach to 'legitimize' the data transfers,” says Susan Foster, an attorney focused on privacy issues for the law firm Mintz Levin.

The decision puts particular pressure on Facebook’s operations in Europe, which are based in Ireland, because the court upheld a claim by Max Schrems, an Austrian law student and privacy advocate, that the the Irish data protection commissioner should be able to investigate his claim that Facebook is exposing his data to allegedly indiscriminate US surveillance.

Why Florida and almost half of US states are enshrining a right to hunt and fish

Mr. Schrems had filed the claim in the wake of disclosures by former NSA contractor Edward Snowden that Facebook was making all of its data – including that of European users – available to the spy agency through its PRISM surveillance program, a charge Facebook denies.

On Tuesday, Schrems called the court’s ruling “perfect.” “This doesn’t mean data flows are illegal overnight,” he told the Irish Times, “but it means national data protection commissioners can take action to stop things.”

Questions about the nature of the US surveillance program are at the heart of the debate. Is it broad and indiscriminate about the data collected, as Mr. Snowden has said, or precisely targeted to focus on particular goals, such as combating terrorism, as the intelligence community maintains?

Dr. Foster, who is based in London, argues the court’s ruling doesn’t fully address this point, calling it a missed opportunity.  

“One problem with this decision is that it takes the media reports about PRISM as fact,” she says, noting that Facebook and the US government have been mysteriously silent as the court pondered the Schrems case, which originated in a court in Ireland, leading to speculation that the company may be under a gag order forbidding it to talk directly about the case.

Now, she says, companies must take the court’s ruling as binding if other European citizens launch cases against them regarding the use of their data. “That has really fallen by the wayside,” she adds.

Other observers agree, saying tech companies based in the US – under threat of additional lawsuits regarding how they use data – would likely begin lobbying Congress to work with European Union officials to reestablish a data sharing agreement.

“The emphasis isn’t going to come from the private citizen, it’s going to come from companies,” says Jim Kinsella, a former Microsoft executive who now runs a cloud data storage company called Zettabox based in Europe, in an interview before the decision was announced.

“They should be concerned, because that’s exactly what’s going to happen, companies are going to find themselves having to defend their choices about where they place their data,” he adds. “I think American companies are very angry about it. [They’re saying] that, ‘You, US government, are making us look untrustworthy.’”

Previously, tech companies have strongly denied being involved in government surveillance.

Mark Zuckerberg, Facebook’s head, dismissed reports that the company was involved in mass surveillance as “outrageous,” in a post on the social media site in 2013.

“We have never received a blanket request or court order from any government agency asking for information or metadata in bulk,” he wrote. “And if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday.”

But Mr. Kinsella says where data is stored could play a particular role in how companies deal with fallout of the court’s decision.

Currently, companies headquartered in the US must comply with government requests for data stored internationally, which often come through a subpoena. But under European laws, cloud-based computing companies headquartered in Europe that serve as the primary “data controller” would not need to respond to a US request for information.

That loophole could allow companies such as Kinsella’s Zettabox to act as intermediaries to store data in Europe outside of the reach of US surveillance. He said one small social media company headquartered in the US, which he declined to name, had reached out to the company about storing data using Zettabox’s servers.

“Can Microsoft or Facebook essentially contract out to somebody in Europe to be the data controller? I think the answer on the face of it is, yes, you could do that,” he says, noting that Microsoft had begun contracting with a company in China to store data separately from the company’s own servers.

In Europe, Microsoft had EU officials approve its cloud computing contracts separately, which allows it to go around the Safe Harbor protections, the Wall Street Journal reported.

In a press conference following the announcement of the court’s decision, European officials emphasized that they were working with data protection agencies from each member state on guidelines that would address transatlantic data transfer now that Safe Harbor is invalid, the Christian Science Monitor’s Passcode reported.

Currently, data transfers involving performing a contract or service, such as booking a hotel room, is still allowed between the EU and the US, Passcode notes, “Similarly, public interest data and personal medical records can be transferred with proper consent."

Foster, the privacy lawyer, says it was still early to tell exactly what impact the decision would have on how companies dealt with data transfers, but she called the decision “very sweeping.”

“The balance of power between the [European] commission and national data protection centers is reset, with most of the power going to the commission,” she said. “[The court] went as far they could.”