European Court of Justice: U.S. ‘Safe Harbor’ Decision is Invalid
The European Court of Justice (ECJ) today declared invalid and struck down the ‘Safe Harbor’ data-transfer agreement that until now has governed the flow of data produced by European users of U.S.-based cloud-computing services, by sending it to the U.S. for processing. The decision to strike down Safe Harbor is one of the direct products of revelations made by Edward Snowden, that the U.S. mass-surveillance apparatus has been tapping into this stream of information from the E.U. to the U.S., as a means of spying on citizens of both international entities.
The Safe Harbor Executive Decision, dating back to 2000, enabled U.S. companies (approximately 4,700,) to self-certify themselves as providing ‘adequate protection’ of European citizens right to privacy. Under Article 8 of the European Convention for the Protection of Human Rights, this right to privacy is meant to be guaranteed. Once Edward Snowden revealed the U.S. Government’s abuses of this right to privacy, European privacy campaigner Max Schrems filed complaints in Irish courts, against several U.S. companies on grounds that they were collaborating with NSA’s PRISM program. In response to this ruling today, Schrems pointed out that this distinction draws a clear line in that it states that mass surveillance violates Europeans’ fundamental rights.
Robert Litt (General Counsel from the Office of the U.S. Director of National Intelligence) anticipated the ECJ’s ruling yesterday when he defended the PRISM program accordingly, “… the US may obtain communications only relating to specific identifiers… an email address or telephone number; only if the US believes those identifiers are being used to communicate foreign intelligence information; and only with the legally compelled assistance of communications service providers…” The issue in this statement, and in statements like it that the ECJ is standing against, is that in practice, ‘Safe-Habor’-certified corporations did not comply with these stated limitations.
This ruling is positive for consumers, whose data should by right must be protected in practice. It’s a major win for Internet privacy advocacy groups. This ruling may even be good for European businesses offering data services, in that it will force U.S. cloud-services companies (Amazon, eBay, Skype, Google, et al.) to build localized data centers in Europe, to avoid sending European data transmissions through U.S. portals. Most importantly, this ruling governs where data can be stored, in efforts to protect the producers of that information from having their data used in ways to which they did not explicitly give consent.
Since the Internet is a series of tubes through which data relays back and forth, traversing the planet, this ruling in effect changes the infrastructure of the web: it will be crucial to watch carefully for what other forms of localization follow as a result of this decision.
TechCrunch: Europe’s Top Court Strikes Down ‘Safe Harbor’ Data-Transfer Agreement with U.S.