Opinion: With pervasive government surveillance, there are no safe harbors

This week's European ruling striking down the transatlantic Safe Harbor deal is a stark reminder that no one's data is safe until governments around the world reform digital surveillance practices.

An undated aerial handout photo shows the National Security Agency headquarters building in Fort Meade, Maryland.

Reuters

October 8, 2015

The Court of Justice of the European Union decision to strike down the transatlantic Safe Harbor agreement gives EU officials and their American counterparts a chance to start over on data protection.

The two sides should take this opportunity to hammer out a deal that fixes the inherent problems with the original arrangement in order to offer meaningful data protection that respects the rights of everyone.

But for any real movement to improve on the Safe Harbor agreement will require meaningful political reform to curb the digital eavesdropping practices at the National Security Agency as well as at spy agencies across Europe.

What the EU Safe Harbor ruling means for data privacy

In fact, NSA spying was at the heart of the European ruling on Safe Harbor. The court's decision stemmed from a case brought by Austrian privacy activist Max Schrems, who claimed that Facebook violated the Safe Harbor deal due to the NSA's PRISM program.

Exposed in 2013, PRISM is a massive surveillance program authorized in the 2008 amendments to the Foreign Intelligence Surveillance Act. Congress passed the FISA Amendments Act to authorize surveillance that had previously been carried out under the so-called warrantless wiretapping program. The law vastly expanded the government's legal authority to surveil international communications in the US.

Mr. Schrems claimed that PRISM demonstrated that Facebook – which, like many companies, transfers scores of data from servers in Europe to those in the US – couldn't comply with Safe Harbor. Notably, the case does not address surveillance under other authorities such as Executive Order 12333, which grants broad surveillance powers for information stored outside of the US and doesn’t require any judicial involvement and has little oversight or accountability.

Plenty of digital rights and civil society groups have long pointed to the failings of Safe Harbor. The deal requires that companies only self-certify they are complying with the principles of the arrangement. In 2013, the European Commission identified 13 additional areas in which the Safe Harbor arrangement needs reform, including transparency and redress.

Another problem with Safe Harbor was that the protections it sought to provide were limited "to the extent necessary to meet national security, public interest, or law enforcement requirements." This, coupled with the NSA’s broad surveillance authorities and failure to meaningfully recognize the human rights of people outside the US, means that innocent people in the EU – and around the world – have routinely had their personal data collected in US government surveillance programs.

In the race to attract students, historically Black colleges sprint out front

But government surveillance isn’t a problem only at America's harbor – it’s a global problem.

Last year, Britain issued a policy that rationalized bulk surveillance programs. The German surveillance agency, Bundesnachrichtendienst, or BND, has collected information on its own citizens and shared that data with the NSA. France is in the midst of passing an incredibly draconian surveillance law, as are several other countries in Latin America and Africa. Australia passed its own suite of overly broad surveillance laws last year.

It remains to be seen what will replace Safe Harbor in the long term. In the immediate future, companies will likely have to negotiate individual agreements with EU countries to store information outside Europe. But if PRISM is the deal-breaker, it is difficult to see how a new Safe Harbor agreement would fix the surveillance problem. A solution requires vastly overhauling US surveillance authorities like the FISA Amendments Act in a way that recognizes the rights of those in the EU and around the world.

In something of an ironic twist in all of this, because Safe Harbor's collapse means more information will be stored outside the US, it'll therefore be within the jurisdiction of Executive Order 12333. Therefore, the court's ruling may actually mean fewer safeguards against surveillance of Europeans than under PRISM.

The European court's decision is a loud and impactful statement about pervasive government surveillance that continues to harm individuals and companies. But the damage won't stop until serious reforms take place in the US and abroad. If the NSA’s PRISM program means that the US isn't a safe harbor for individuals' private data and personal communications, it's difficult to find a place where one exists.

Amie Stepanovich is the US policy manager for Access. Follow her on Twitter @astepanovich.