As Expected, US Surveillance Of Social Media Leads To EU Court Of Justice Rejecting EU/US Privacy Shield

from the now-what? dept

This one sounds boring, but stick with it because it’s important. Because the US and the EU have vastly different privacy regulation regimes, there has always been some conflict over how (mainly) US internet companies handle data from the EU. For years, this was “settled” by a weird and mostly useless “EU-US data protection safe harbor” agreement, in which US companies would have to get “certified” that they kept EU-originated data protected at an “equivalent” level to how it would be protected in the EU when transferring it across the Atlantic to US-based data centers. It was a bit of a nuisance as a company (we went through the process ourselves), but in 2015 the entire safe harbor agreement was invalidated by the EU Court of Justice because of the NSA’s ongoing snooping on data from those internet companies, as revealed by Ed Snowden.

The EU and US freaked out, and had a frantic negotiation to come up with a new “safe harbor” agreement with the catchier name of “Privacy Shield,” but as we pointed out when it was announced, the problem wasn’t the text of the agreement, but rather the NSA’s surveillance practices with regards to internet data. Here’s what I wrote four years ago:

The real issue here is mass surveillance overall. The only real way to fix this issue is to stop mass surveillance and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement.

Since then, the Privacy Shield was challenged and the challenge took its sweet time to go through the courts — again brought by Max Schrems, whose lawsuit had sunk the original safe harbor as well. And, now, finally, four years later exactly what we expected to happen has happened. The CJEU has invalidated the Privacy Shield agreement, by basically saying “hey, the US surveillance regime remains the same, and that was the problem all along.” You can read the full decision if you want to get deep into the details.

But the short summary is that while the Privacy Shield framework offered a few ways for EU residents to seek redress from some forms of surveillance, the CJEU says that’s not nearly enough:

While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited ? and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show ?standing? ?, which restricts access to ordinary courts ?

As you may recall, Executive Order 12333 is the tool under which the US does most of its foreign surveillance totally outside of the oversight of Congress. This has always been a massive problem, and here the CJEU is basically saying “if the US doesn’t do wholesale surveillance reform, there’s going to be a serious problem with transferring data from the EU to the US.”

Now, there is some argument here that EU surveillance is just as bad, and it’s perhaps more than a little silly that the CJEU basically ignores that as if it’s not important.

Either way, the key point to all of this is that if US companies want to be able to transfer data over from the EU to the US long term (there are ways they can do it for now), the US government needs to vastly reform its surveillance practices. Well, assuming there was a competent government that actually cared about these things. I’m a bit worried that the current administration will just ignore this or use it to attack the EU, which would be somewhat disastrous for US internet companies.

I’ve seen some people saying that this is a ruling against the internet companies and their data collection practices, but that’s not really accurate. The problem is not so much that — it’s how the NSA spies on people with that data (with or without cooperation of the companies). This really should lead to the US internet industry pressuring the US government to stop mass surveillance — just like we said four years ago.

Filed Under: , , , , , , ,
Companies: facebook, noyb

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “As Expected, US Surveillance Of Social Media Leads To EU Court Of Justice Rejecting EU/US Privacy Shield”

Subscribe: RSS Leave a comment
ECA (profile) says:

Re: Re:

This is funny, As Iv suggested in the past watching all these nations create their OWN rules for the internet.
Think of a Corp that has to do business, Here and there and installs locations in each country they deal with.
Everyone of them has to deal with local regs and laws.

China takes over Tons of Manufacturing, not realizing why Japan STOPPED, and the ROC Stopped, and a few others started Major regulations about What to do about Pollution.
Recently as 2 years ago, when the Olympics, were in China..They realized allot of the problems.. People like fishing off the coastlines, And people like drinking water used in many of the Manufacturing Processes..esp waste clean up. Why do you think the USA did the same in the late 70’s..

Its the same idea.. that no matter what the internet does, they are going to be, NOT protected from Local regs. If the Internet would be considered an Independent nation.. and all of us as VISITORS, then we can demand that the internet POLICE ITSELF, or hire a few of us to help them.

Consider the laws we have to deal with going from 1 nation to another.. But if the Net is considered another nation, and we catch someone THERE…how many problems are there?

Koby (profile) says:

Good For The Gander

Now, there is some argument here that EU surveillance is just as bad, and it’s perhaps more than a little silly that the CJEU basically ignores that as if it’s not important.

My take is that the Privacy Shield agreement was just a scam, in that the US spy agencies would snoop on EU data, the EU spy agencies would snoop on US data, and then both sides would "share" information, while simultaneously claiming to civilian legislative representatives that the government was not spying on their own citizens.

Now that one half of the scam is taken down, hopefully the other half will collapse as well. Good riddance.

Anonymous Coward says:

Re: Good For The Gander

I always thought it was a scam anyway. The US and the EU have multiple intelligence-sharing agreements where the US can launder data from the EU and vice-versa through various means.

The whole Privacy Shield agreement was just a fancy way of putting lipstick on a pig.

Then again, that’s how this game has always been played. Each country spying on the other so they can claim they’re not spying on their own citizens. It’s a clever loophole.

Anonymous Coward says:

Re: Good For The Gander

Now that one half of the scam is taken down, hopefully the other half will collapse as well.

My guess is that it will be like when "safe harbor" went away: EU companies will keep putting data in the USA, maybe with a token fine or two until the EU approves some new bullshit "framework" to let them do what they’re already doing. That’ll keep us going for another few years until the court notices it’s bullshit and strikes it down, and then we’ll see it all repeat; in other words, this is nothing but privacy-kiting.

Scary Devil Monastery (profile) says:

Re: Good For The Gander

"Now that one half of the scam is taken down, hopefully the other half will collapse as well. Good riddance."

Stuff like this is why I keep not flagging your comments when you devolve in your odd anti-230 diatribes. Speaking as a european who watched the anti-privacy messes on both sides of the pond you are lamentably correct.

The US with it’s assorted plethora of programs – PRISM, xKeyscore, old venerable echelon…always went the route of allowing its multitude of alphabet soup organizations to strong-arm individual infrastructure providers into NDA-backed compliance, prompting the creation of the "warrant canary" concept.

The EU went with the high-tier approach instead, with top tier legislation such as the data retention directive (happily declared unconstitutional by the EUCJ) and it’s watered-down derivatives.

And from both sidees, and especially for the member states of the EU it’s been an utter farce where, for instance, Swedish authorities were, by snowden, revealed to bypass citizen protections against unwarranted surveillance by simply leasing accounts with the US xKeyscore rather than spying on the citizenry themselves which would have been all kinds of illegal.

It’s taking government abuse just that step further when one of the key points of international cooperation is; "We’ll let you guys spy on all our citizens as long as you are willing to share everything you find with us. We’ll reciprocate in kind".

I’ve always wondered if there isn’t a legal term for when a government betrays it’s entire citizenry to a foreign power primarily so it can gain the ability to circumvent the foundational laws laid down in their national constitution. "High Treason" simply doesn’t cut it.

Scary Devil Monastery (profile) says:

Re: Re: Re: Good For The Gander

You recall correctly. Sweden was smacked down multiple times by the EU. First regarding its implementation of the data retention directive (DRD). Later on when Sweden refused to abolish our version of the DRD when the EU courts struck the directive down as unconstitutional, and then once again later on when swedish authorities tried to finagle customer information out of ISP’s and telcos.

It’s ironic. We learned in the ’70’s that mass surveillance was BAD by horrible example of what it led to – the IB affair still being very relevant – and yet here we are, with our own right-wing hawks still hollering about how it can’t be undemocratic if the US does the same…

This comment has been deemed insightful by the community.
Anonymous Coward says:


EU countries are ramping up surveilance powers like there is no tomoroow, like germany for example that even tries to force social media companies to handover passwords of accounts, but US surveilance is somehow evil?

seriously, fuck the EU. You do NOT get to argue with privacy when you youirself undermine it at every corner.

Scary Devil Monastery (profile) says:

Re: Re:

"…but US surveilance is somehow evil? "

The EU and US have, on the political level, as key point of cooperation that since their respective constitutions absolutely prohibit the state from spying on every citizen they allow their trade partner to do so and partake of the information instead.

So the US spies on the traffic of every EU citizen and then gives EU law enforcement a key account with xKeyscore and PRISM.
And vice versa.

Neatly bypasses every constitutional protection against mass surveillance by outsourcing the actual intelligence gathering to a foreign power.

The EUCJ keeps pissing in this political construct since so far the people manning it are still the ones appointed to mainly observe the EU charter. It’s hardly enough though, when the legislative body is hell-bent on trading the privacy of the citizenry they’re tasked to defend to foreign powers.

Eldakka (profile) says:

Now, there is some argument here that EU surveillance is just as bad, and it’s perhaps more than a little silly that the CJEU basically ignores that as if it’s not important.

Even if EU surveillance is just as bad, the point is though, that the CJEU has power to hear cases against such surveillance and issue legally enforceable rulings against (or for) those EU spying agencies if an EU citizen does bring a case.

This is not the case in the US. As has been demonstrated many times over, a non-US citizen has no standing in the US to bring an enforceable legal case against US Government surveillance.

Basically, this is about whether there are remedies available to EU data subjects against such surveillance. There are in the EU, but there are not in the US.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...