The European Union’s top court ruled Tuesday that a major data-sharing agreement between the United States and the E.U. is invalid, throwing a wrench into the operations of major U.S. businesses and further roiling the debate over far-reaching American surveillance programs.
The ruling from the European Court of Justice struck down the so-called Safe Harbor agreement, which let American companies, like Google and Facebook, transfer data stored in Europe back to the United States, on the grounds that U.S. mass-surveillance operations prevented the companies from complying with the agreement’s privacy provisions.
While many U.S. firms have other deals with the E.U. that allow the transfer of data from Europe to the U.S., the court’s ruling could have untold consequences for both American and European businesses.
“Today’s ruling shows the need to step up reforms of government surveillance practices.”
The United States and the European Commission, the E.U.’s governing body, negotiated the Safe Harbor agreement to ensure that U.S. companies could operate in Europe while still complying with the E.U. directive on personal data privacy. But in its ruling, the European court said that the agreement unlawfully denied E.U. member-states the authority to let their citizens question whether data sharing complied with their “fundamental rights and freedoms.”
“The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way,” the ruling said.
The court’s ruling hinges on the incompatibility of the privacy directive with the U.S. government’s controversial access to American companies’ data. The ruling is the latest major fallout from the high-profile revelations of National Security Agency surveillance programs.
Former NSA contractor Edward Snowden, whose stolen documents helped journalists expose those programs beginning in June 2013, praised the decision on Twitter, saying it “indicates [that] the indiscriminate interception of communications is a violation of rights.”
#SafeHarbor was abused under US law due to #FAA702, which allowed a US official to authorize spies to monitor people without court orders.
— Edward Snowden (@Snowden) October 6, 2015
The #CJEU decision on #SafeHarbor can’t strike #FAA702 off the books in the US, but it shows it does not comport with international law.
— Edward Snowden (@Snowden) October 6, 2015
Internet-rights groups were quick to seize on the court’s decision as a victory for global privacy. “Today’s ruling shows the need to step up reforms of government surveillance practices,” Jens Henrik-Jeppesen, the director of European Affairs at the Center for Democracy & Technology, said in a statement. “There is a clear need for the U.S. and Europe to set clear, lawful, and proportionate standards and safeguards for conducting surveillance for national security purposes.”
Trade groups for major Silicon Valley companies expressed concern that the elimination of the agreement would complicate their members’ operations. Daniel Castro, the vice president of the Information Technology and Innovation Foundation, said in a statement that the elimination of Safe Harbor highlighted the need for “much-needed privacy reforms to rebuild trust and cooperation” in both the U.S. and Europe.
“If [E.U.] data cannot be stored or processed in the United States, it damages European users of technology, both businesses and consumers, putting them even further behind America,” Castro said. “Everyone benefits from finding a workable solution that avoids undermining the transatlantic digital economy.”
Sen. Ron Wyden (D-Ore.), who has repeatedly criticized mass surveillance for jeopardizing U.S. economic interests, released a statement calling the ruling “misguided.” He partly blamed the NSA and its congressional supporters, saying that mass surveillance “did grave damage to the reputations of the American tech sector.” But he also defended the Safe Harbor agreement itself, lashing out at the court for declaring “open season against American businesses.”
U.S. and E.U. teams have been working for more than two years to update the Safe Harbor agreement. At a news conference after the verdict was announced, Vĕra Jourová, the European Commission’s commissioner for justice, consumers, and gender equality, said that the Commission wanted to “step up discussions with the U.S. [for] a renewed and safe framework for the transfer of personal data across the Atlantic.”
“In particular,” Jourová said, “the updated agreement should reflect the E.U. request that a national-security exception [to conventional data-access rules] is used only to the extent that it is strictly necessary and proportionate for a given incident.”
Commerce Secretary Penny Pritzker said in a statement that while the U.S. was “deeply disappointed” with the ruling, it was also “prepared to work with the European Commission to address uncertainty created by the court decision.”
The court’s decision followed the logic that one of its top staff members laid out in a Sept. 23 advisory opinion. In that document, Yves Bot, an advocate general for the court, argued that the U.S.’s “mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the [E.U.] Charter.”
Illustration by Max Fleishman