How NSA Surveillance May Result In Fragmenting The Internet: EU Court Leaning Towards Ending 'Privacy Safe Harbor'

from the this-could-be-a-mess dept

If you haven't dealt with it, the "EU-US data protection safe harbor" is somewhat confusing to deal with. The basics, however, are that under an agreement between the US and the EU, if US companies wish to transfer data out of Europe and to American servers, they have to abide by this "safe harbor" process, whereby they agree to take certain steps to keep that data safe and out of prying eyes. The process itself is something of a joke (we at Techdirt have actually gone through it to make sure we weren't violating the law -- though I imagine many small American internet companies don't even know it exists). You basically have to pay a company to declare you in compliance, which in reality often just means that the company reviews your terms of service/privacy policy to make sure it has specific language in it. There have been plenty of (potentially reasonable) complaints out of the EU that the safe harbor process doesn't actually do much to protect Europeans' data. That may be true, but the flipside of it isn't great either. Without the safe harbor framework, it's possible that it would be much more difficult for American internet companies to operate in Europe -- or for Europeans to use American internet companies. Some in Europe may think that's a good idea, until they suddenly can't use large parts of the internet.

Either way, the whole safe harbor system has come under attack on a variety of fronts, and it looks close to breaking... all because of the NSA. Max Schrems, who made news back in 2011 by asking Facebook for a copy of all the data it had on him, argued that the NSA's PRISM surveillance program violated EU data protection rules. The European Court of Justice's Advocate General, Yves Bot, has now sided with Schrems and basically said that the NSA surveillance has made the safe harbor process invalid.

The European Court of Justice still needs to come out with its final decision, but it usually (though not always!) agrees with the Advocate General's recommendation. Here, the Advocate General basically says that NSA surveillance has completely undermined the idea that the US can keep Europeans' data safe, and thus the safe harbor cannot stand.
According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance. Indeed, the access which the United States intelligence authorities may have to the personal data covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued. The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.
In short, thanks to indiscriminate mass surveillance by the NSA, we may witness a fractured and fragmented internet. That's a big deal.

The EU Commission and the US have been negotiating for a while to change the EU-US Safe Harbor setup anyway, so it's possible that even if the court follows the Advocate General's suggestion, a new, more acceptable, safe harbor process will be put in place. But, in the short term, this could create quite a mess for the internet. Once again, we see how the NSA's actions, which it claims are to "protect" America could end up doing massive economic damage to the internet.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Sep 2015 @ 12:15pm

    Good.

    Let the US government learn that, no matter the justification, fear-induced lawbreaking is still lawbreaking.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Sep 2015 @ 12:24pm

      Re: Good.

      The US government would cheer if the Internet fragmented, as it is much easier to demonize a people if your own citizens cannot speak to them.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Sep 2015 @ 12:57pm

      Re: Good.

      Well, this is one way to get the sheeples attention!

      All the unemployed workers will be in the streets protesting (maybe rioting) to end the NSA.

      You will see signs like:
      "NSA spying cost me my job"
      "Jail all NSA employees"
      "NSA: Not Safe America"

      They will be breaking into your house to steal your food.

      National Security Agency will be disbanded and replaced with the National Soylent Agency tasked with feeding the unemployed.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Sep 2015 @ 1:11pm

        Re: Re: Good.

        National Security Agency will be disbanded and replaced with the National Soylent Agency tasked with feeding the unemployed.
        Feeding the unemployed from the reprocessed bodies of employees of the previous NSA, right?

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2015 @ 12:18pm

    Ha

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 23 Sep 2015 @ 12:24pm

    Well that's dumb.

    Why don't they just develop robust encryption standards for everything? NSA hasn't cracked all that much.

    Oh yeah. Germany and Britannia want to spy on all of Europe and encrypting everything would defeat that agenda.

    And ironically, the UK, a part of Five Eyes will report everything the NSA asks for, making the whole exercise moot.

    reply to this | link to this | view in chronology ]

    • identicon
      David, 24 Sep 2015 @ 12:42am

      Re: Well that's dumb.

      This is about Facebook et al handing all the data and communications of their users over to the U.S. government without any oversight or accountability. Encryption does not help against that. Encryption only helps against third parties, not against bad actors.

      reply to this | link to this | view in chronology ]

  • icon
    Pronounce (profile), 23 Sep 2015 @ 12:39pm

    Result In Fragmenting The Internet

    As the title suggests the worldwide network will continue to fracture. The state spook activities are accelerating a process that has been going on for some time now.

    There will come a time when mankind will think fondly of the past, and the opine the loss of the worldwide community that had once been possible due to a free and open Internet.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2015 @ 12:42pm

    Something's gotta give, Mike. Hopefully, this way, the US government will finally realize that mass spying on everyone is not just an all-you-can-eat candyshop, and there are real consequences to doing that, both in terms of damaged relationships with allies as well as a major economic blow to the U.S. companies and economy.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2015 @ 1:10pm

    EU jurisidiction over US websites?

    "(we at Techdirt have actually gone through it to make sure we weren't violating the law..."

    Isn't that rather like having to make sure you're in compliance with Chinese law simply because your website can be accessed by people in China?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Sep 2015 @ 1:18pm

      Re: EU jurisidiction over US websites?

      The difference is what you harmonize.

      It isn't the same harmonizing censorship (such as, you having to adopt the same measures as in China); that harmonizing privacy, that is a Human Right, and it's something that every country should respect.

      reply to this | link to this | view in chronology ]

    • identicon
      Fin, 23 Sep 2015 @ 2:02pm

      Re: EU jurisidiction over US websites?

      Only if you collect data in China and then move it out.

      If you have an EU data centre then you must ensure that any data maintained outside the EU that was pulled from the EU data centre has the same protections.

      Eg Amazon can't keep transactional data in the Netherlands and then move it to the US to do something that would be illegal in the EU.

      reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 23 Sep 2015 @ 2:20pm

      Re: EU jurisidiction over US websites?

      Isn't that rather like having to make sure you're in compliance with Chinese law simply because your website can be accessed by people in China?

      Nope. This is a US rule, put in place with the EU, to allow US companies to offer services to EU individuals. So, it's not a European mandate, but a US one (that was done together with the EU).

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2015 @ 1:13pm

    I see the part about fragmenting the internet, but to be honest, I don't like the part of the unprotected personal data either.


    So? What we choose, fragmented internet, Big Brother or maybe, by any chance, putting in place proper and real personal data protection measures and consumer protection laws?


    You see, the governments having access to your personal data is bad enough, but your personal data bouncing around different companies and who else (like identity thieves) is way worse.

    Apart that their security may leave a lot for complaints, they tend to be quite unscrupulous about what they do (see Volkswagen or GM, corps are bad, no matter where they come from), and it usually has a bigger impact on your life.


    Remember Ashley Madison? Or the Sony hack of millions of bank related data and that Sony got away free from that due to the consumer protection laws in California?


    Seriously, I agree that we don't want a fragmented internet; but the price given for that isn't right either.

    The issue with the personal data isn't if the company uses them for their own purposes (like, for example, directed ads), but what else they do with them, the security involved and what happens if that is broken.


    You wouldn't want your data in North Korea even if it broke the internet, would you? Right now, the US is turning more like North Korea regarding respecting people's human rights.

    And no, don't look only at the NSA. Is the whole US framework in such matters what it worries me too.


    But don't worry. Even if the agreement with EU Commission and the US doesn't bring more "acceptable" safe harbour measures, the TTIP and TiSA agreements will fix all those pesky measures of the europeans wanting their privacy.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 25 Sep 2015 @ 7:11am

      Re:

      "I see the part about fragmenting the internet"

      I see the internet as already fragmented. The fragmentation could be a lot worse, but it already exists.

      reply to this | link to this | view in chronology ]

  • icon
    FamilyManFirst (profile), 23 Sep 2015 @ 1:45pm

    Mandate encryption

    Since the EU-US Safe Harbor set up is under review anyway, modify it to require that any data transferred out of Europe and into American servers must be encrypted in transit and at its destination server. It would make the verification process more significant (and, thus, more expensive) but it would go a long way toward re-legitimizing the process.

    The beauty of such a rule is that it would prompt many companies to simply encrypt everything in-transit and on-server, rather than trying to set up something specific to EU-US. That would be a good thing.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Sep 2015 @ 2:46pm

      Re: Mandate encryption

      Not that it would make much difference. A number of EU members pull the same kind of shit the United States does, often in collaboration with the US government.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2015 @ 3:05pm

    So, whats the purpose of this political pissing match?
    vw cheating with emission was well known for a long time, so the question is why did they brought it up now. Same with this one.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2015 @ 3:33pm

    and if that happens, you can bet 'it wasn't the USA's fault! it was all the EU's doing'!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2015 @ 8:11pm

    Tag

    The tag says "Max Schrem". It's missing the trailing "s".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Sep 2015 @ 2:36am

    in europe, the right to privacy is regarded as a human right.

    in america, europeans arent even regarded as humans.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Sep 2015 @ 2:41am

    "The European Court of Justice's Advocate General, Yves Bot, has now sided with Schrems and basically said that the NSA surveillance has made the safe harbor process invalid."

    Unlike U.S. courts, the European Court of Justice won't trump legal arguments that come before it with an appeal to U.S. security interests.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.