As Expected, US Surveillance Of Social Media Leads To EU Court Of Justice Rejecting EU/US Privacy Shield

from the now-what? dept

This one sounds boring, but stick with it because it's important. Because the US and the EU have vastly different privacy regulation regimes, there has always been some conflict over how (mainly) US internet companies handle data from the EU. For years, this was "settled" by a weird and mostly useless "EU-US data protection safe harbor" agreement, in which US companies would have to get "certified" that they kept EU-originated data protected at an "equivalent" level to how it would be protected in the EU when transferring it across the Atlantic to US-based data centers. It was a bit of a nuisance as a company (we went through the process ourselves), but in 2015 the entire safe harbor agreement was invalidated by the EU Court of Justice because of the NSA's ongoing snooping on data from those internet companies, as revealed by Ed Snowden.

The EU and US freaked out, and had a frantic negotiation to come up with a new "safe harbor" agreement with the catchier name of "Privacy Shield," but as we pointed out when it was announced, the problem wasn't the text of the agreement, but rather the NSA's surveillance practices with regards to internet data. Here's what I wrote four years ago:

The real issue here is mass surveillance overall. The only real way to fix this issue is to stop mass surveillance and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement.

Since then, the Privacy Shield was challenged and the challenge took its sweet time to go through the courts -- again brought by Max Schrems, whose lawsuit had sunk the original safe harbor as well. And, now, finally, four years later exactly what we expected to happen has happened. The CJEU has invalidated the Privacy Shield agreement, by basically saying "hey, the US surveillance regime remains the same, and that was the problem all along." You can read the full decision if you want to get deep into the details.

But the short summary is that while the Privacy Shield framework offered a few ways for EU residents to seek redress from some forms of surveillance, the CJEU says that's not nearly enough:

While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited … and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show “standing” …, which restricts access to ordinary courts …

As you may recall, Executive Order 12333 is the tool under which the US does most of its foreign surveillance totally outside of the oversight of Congress. This has always been a massive problem, and here the CJEU is basically saying "if the US doesn't do wholesale surveillance reform, there's going to be a serious problem with transferring data from the EU to the US."

Now, there is some argument here that EU surveillance is just as bad, and it's perhaps more than a little silly that the CJEU basically ignores that as if it's not important.

Either way, the key point to all of this is that if US companies want to be able to transfer data over from the EU to the US long term (there are ways they can do it for now), the US government needs to vastly reform its surveillance practices. Well, assuming there was a competent government that actually cared about these things. I'm a bit worried that the current administration will just ignore this or use it to attack the EU, which would be somewhat disastrous for US internet companies.

I've seen some people saying that this is a ruling against the internet companies and their data collection practices, but that's not really accurate. The problem is not so much that -- it's how the NSA spies on people with that data (with or without cooperation of the companies). This really should lead to the US internet industry pressuring the US government to stop mass surveillance -- just like we said four years ago.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data protection, eu, gdpr, mass surveillance, max schrems, nsa, privacy shield, surveillance
Companies: facebook, noyb


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    aerinai (profile), 16 Jul 2020 @ 11:19am

    Splinternet, here we come!

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 16 Jul 2020 @ 1:23pm

      Re:

      This is funny, As Iv suggested in the past watching all these nations create their OWN rules for the internet.
      Think of a Corp that has to do business, Here and there and installs locations in each country they deal with.
      Everyone of them has to deal with local regs and laws.

      China takes over Tons of Manufacturing, not realizing why Japan STOPPED, and the ROC Stopped, and a few others started Major regulations about What to do about Pollution.
      Recently as 2 years ago, when the Olympics, were in China..They realized allot of the problems.. People like fishing off the coastlines, And people like drinking water used in many of the Manufacturing Processes..esp waste clean up. Why do you think the USA did the same in the late 70's..

      Its the same idea.. that no matter what the internet does, they are going to be, NOT protected from Local regs. If the Internet would be considered an Independent nation.. and all of us as VISITORS, then we can demand that the internet POLICE ITSELF, or hire a few of us to help them.

      Consider the laws we have to deal with going from 1 nation to another.. But if the Net is considered another nation, and we catch someone THERE...how many problems are there?

      reply to this | link to this | view in chronology ]

  • icon
    Koby (profile), 16 Jul 2020 @ 12:51pm

    Good For The Gander

    Now, there is some argument here that EU surveillance is just as bad, and it's perhaps more than a little silly that the CJEU basically ignores that as if it's not important.

    My take is that the Privacy Shield agreement was just a scam, in that the US spy agencies would snoop on EU data, the EU spy agencies would snoop on US data, and then both sides would "share" information, while simultaneously claiming to civilian legislative representatives that the government was not spying on their own citizens.

    Now that one half of the scam is taken down, hopefully the other half will collapse as well. Good riddance.

    reply to this | link to this | view in chronology ]

    • identicon
      ANANONANA, 16 Jul 2020 @ 1:43pm

      Re: Good For The Gander

      Side note on that, the one Five Eyes member in the EU just dropped out of the EU.

      Yet another situation where the UK can no longer act as a bridgehead into the EU...

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2020 @ 2:02pm

      Re: Good For The Gander

      I always thought it was a scam anyway. The US and the EU have multiple intelligence-sharing agreements where the US can launder data from the EU and vice-versa through various means.

      The whole Privacy Shield agreement was just a fancy way of putting lipstick on a pig.

      Then again, that's how this game has always been played. Each country spying on the other so they can claim they're not spying on their own citizens. It's a clever loophole.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2020 @ 3:51pm

      Re: Good For The Gander

      Now that one half of the scam is taken down, hopefully the other half will collapse as well.

      My guess is that it will be like when "safe harbor" went away: EU companies will keep putting data in the USA, maybe with a token fine or two until the EU approves some new bullshit "framework" to let them do what they're already doing. That'll keep us going for another few years until the court notices it's bullshit and strikes it down, and then we'll see it all repeat; in other words, this is nothing but privacy-kiting.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 17 Jul 2020 @ 12:11am

      Re: Good For The Gander

      "Now that one half of the scam is taken down, hopefully the other half will collapse as well. Good riddance."

      Stuff like this is why I keep not flagging your comments when you devolve in your odd anti-230 diatribes. Speaking as a european who watched the anti-privacy messes on both sides of the pond you are lamentably correct.

      The US with it's assorted plethora of programs - PRISM, xKeyscore, old venerable echelon...always went the route of allowing its multitude of alphabet soup organizations to strong-arm individual infrastructure providers into NDA-backed compliance, prompting the creation of the "warrant canary" concept.

      The EU went with the high-tier approach instead, with top tier legislation such as the data retention directive (happily declared unconstitutional by the EUCJ) and it's watered-down derivatives.

      And from both sidees, and especially for the member states of the EU it's been an utter farce where, for instance, Swedish authorities were, by snowden, revealed to bypass citizen protections against unwarranted surveillance by simply leasing accounts with the US xKeyscore rather than spying on the citizenry themselves which would have been all kinds of illegal.

      It's taking government abuse just that step further when one of the key points of international cooperation is; "We'll let you guys spy on all our citizens as long as you are willing to share everything you find with us. We'll reciprocate in kind".

      I've always wondered if there isn't a legal term for when a government betrays it's entire citizenry to a foreign power primarily so it can gain the ability to circumvent the foundational laws laid down in their national constitution. "High Treason" simply doesn't cut it.

      reply to this | link to this | view in chronology ]

      • identicon
        Magnus Bergqvist, 17 Jul 2020 @ 4:09am

        Re: Re: Good For The Gander

        If I recall correctly, Sweden has twice been slapped down by the EU courts for being too invasive on the surveillance. And here the politicians stubbornly reply that the EU court is wrong, and that they have no intention of changing the laws.

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 21 Jul 2020 @ 6:08am

          Re: Re: Re: Good For The Gander

          You recall correctly. Sweden was smacked down multiple times by the EU. First regarding its implementation of the data retention directive (DRD). Later on when Sweden refused to abolish our version of the DRD when the EU courts struck the directive down as unconstitutional, and then once again later on when swedish authorities tried to finagle customer information out of ISP's and telcos.

          It's ironic. We learned in the '70's that mass surveillance was BAD by horrible example of what it led to - the IB affair still being very relevant - and yet here we are, with our own right-wing hawks still hollering about how it can't be undemocratic if the US does the same...

          reply to this | link to this | view in chronology ]

  • identicon
    stine, 16 Jul 2020 @ 1:49pm

    Yay!

    Its about fucking time.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2020 @ 4:32pm

    hypocrites.

    EU countries are ramping up surveilance powers like there is no tomoroow, like germany for example that even tries to force social media companies to handover passwords of accounts, but US surveilance is somehow evil?

    seriously, fuck the EU. You do NOT get to argue with privacy when you youirself undermine it at every corner.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2020 @ 4:43pm

      Re:

      This is more a matter of "our surveillance is better than your surveillance".

      Or in other words: "That cake is yours, this cake is ours."

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 17 Jul 2020 @ 12:17am

      Re:

      "...but US surveilance is somehow evil? "

      The EU and US have, on the political level, as key point of cooperation that since their respective constitutions absolutely prohibit the state from spying on every citizen they allow their trade partner to do so and partake of the information instead.

      So the US spies on the traffic of every EU citizen and then gives EU law enforcement a key account with xKeyscore and PRISM.
      And vice versa.

      Neatly bypasses every constitutional protection against mass surveillance by outsourcing the actual intelligence gathering to a foreign power.

      The EUCJ keeps pissing in this political construct since so far the people manning it are still the ones appointed to mainly observe the EU charter. It's hardly enough though, when the legislative body is hell-bent on trading the privacy of the citizenry they're tasked to defend to foreign powers.

      reply to this | link to this | view in chronology ]

  • icon
    Eldakka (profile), 16 Jul 2020 @ 5:30pm

    Now, there is some argument here that EU surveillance is just as bad, and it's perhaps more than a little silly that the CJEU basically ignores that as if it's not important.

    Even if EU surveillance is just as bad, the point is though, that the CJEU has power to hear cases against such surveillance and issue legally enforceable rulings against (or for) those EU spying agencies if an EU citizen does bring a case.

    This is not the case in the US. As has been demonstrated many times over, a non-US citizen has no standing in the US to bring an enforceable legal case against US Government surveillance.

    Basically, this is about whether there are remedies available to EU data subjects against such surveillance. There are in the EU, but there are not in the US.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Jul 2020 @ 1:01am

      Re:

      On these lines, do you think that there is a way for a US citizen to sue a EU company in the US, I am thinking about a car manufacturer for example, which very probably keeps all repair data in EU, on similar claims, and bring the case all the way up to the Supreme Court?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jul 2020 @ 11:47pm

    Stop pretending the US controls the transnational companies, the internet structures are legalized, or that the entire structure has come under effective US control from China, or India, or Eastern Europe to begin with.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Sponsored Promotion
Public Money, Public Code - Sign The Open Letter at publiccode.eu
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.