The Safe Harbor Framework was established in 2000 with the aim of ensuring that when transferred to the United States, EU citizens’ data is treated with the same legal protections it enjoys in Europe. This effectively meant that US companies self-certified themselves for compliance with the Framework.
Thanks to Mr Edward Snowdon, however, it is now abundantly clear that EU citizen’s data is not protected when transferred to the US, and that government surveillance agencies such as the NSA routinely perform mass collection and analysis of this data in a way that totally contravenes the EU Data Protection Directive.
Austrian national Max Shrems took Facebook to court over its failure to comply with the Safe Harbour Framework, first in Ireland, and then at the European Court of Justice (ECJ), and couple of weeks ago the ECJ’s s justice’s advocate general, Yves Bot, issued an important Opinion in support of Shrems’ case.
As expected, the ECJ has now followed Bot’s Opinion. Using strong language that makes it clear members’ anger at the scale of US spying operations exposed by Snowden, the ECJ invoked abuse of human rights in upholding Shrems’ case,
“The United States … scheme enables interference, by United States public authorities, with the fundamental rights of persons…”
“The ECJ has confirmed what the vast majority of internet users already know: large US-based tech companies have been deeply complicit in mass government surveillance, and have traded their users’ most basic rights for a cozy relationship with the US government. While the discussion around NSA spying has far too often focused only on the rights of US citizens, the ECJ ruling is a reminder that freedom from indiscriminate surveillance is a basic human right that should be protected for everyone, regardless of where they live.”
The ruling effectively invalidates the Safe Harbor Framework, leaving many who rely on it to do business in Europe, such Mike Zaneis, executive vice-president of public policy and general counsel for the Interactive Advertising Bureau, deeply alarmed,
“The weakening of the Safe Harbor agreement limits European consumers’ access to valuable digital services and impedes trade and innovation. We urge the US and EU to agree on new rules for the transatlantic transfer of data, taking into account the CJEU’s judgment.”
Despite such panicky responses, it is unlikely that the ruling will make an obvious difference to most Europeans. US companies have been aware of the coming ruling for quite some time, and have made preparations for it.
Although some larger companies, such as Facebook, Google and Amazon (the main targets of the ruling) may take steps to store EU citizens data on EU servers rather than transfer it to US servers, for most companies simply rewording their individual privacy policies to comply with EU regulation will probably be enough to sidestep the ruling (although exactly how these things will work remains to be decided.).
The real impact of the decision lies with the ECJ for the first time having the balls to declare mass indiscriminate surveillance of ordinary citizens’ digital data a violation of human rights law. And because this impacts international law, it will likely be highly influential in upcoming court cases challenging government surveillance in the EU, such as Privacy International, Amnesty International, and Liberty’s case against the UK government due to be heard next year.
When US business begins to suffer due the actions of government surveillance, there is a chance that real chance that changes to the modern surveillance culture may actually occur…