As Expected, US Surveillance Of Social Media Leads To EU Court Of Justice Rejecting EU/US Privacy Shield

from the now-what? dept

This one sounds boring, but stick with it because it's important. Because the US and the EU have vastly different privacy regulation regimes, there has always been some conflict over how (mainly) US internet companies handle data from the EU. For years, this was "settled" by a weird and mostly useless "EU-US data protection safe harbor" agreement, in which US companies would have to get "certified" that they kept EU-originated data protected at an "equivalent" level to how it would be protected in the EU when transferring it across the Atlantic to US-based data centers. It was a bit of a nuisance as a company (we went through the process ourselves), but in 2015 the entire safe harbor agreement was invalidated by the EU Court of Justice because of the NSA's ongoing snooping on data from those internet companies, as revealed by Ed Snowden.

The EU and US freaked out, and had a frantic negotiation to come up with a new "safe harbor" agreement with the catchier name of "Privacy Shield," but as we pointed out when it was announced, the problem wasn't the text of the agreement, but rather the NSA's surveillance practices with regards to internet data. Here's what I wrote four years ago:

The real issue here is mass surveillance overall. The only real way to fix this issue is to stop mass surveillance and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement.

Since then, the Privacy Shield was challenged and the challenge took its sweet time to go through the courts -- again brought by Max Schrems, whose lawsuit had sunk the original safe harbor as well. And, now, finally, four years later exactly what we expected to happen has happened. The CJEU has invalidated the Privacy Shield agreement, by basically saying "hey, the US surveillance regime remains the same, and that was the problem all along." You can read the full decision if you want to get deep into the details.

But the short summary is that while the Privacy Shield framework offered a few ways for EU residents to seek redress from some forms of surveillance, the CJEU says that's not nearly enough:

While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited … and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show “standing” …, which restricts access to ordinary courts …

As you may recall, Executive Order 12333 is the tool under which the US does most of its foreign surveillance totally outside of the oversight of Congress. This has always been a massive problem, and here the CJEU is basically saying "if the US doesn't do wholesale surveillance reform, there's going to be a serious problem with transferring data from the EU to the US."

Now, there is some argument here that EU surveillance is just as bad, and it's perhaps more than a little silly that the CJEU basically ignores that as if it's not important.

Either way, the key point to all of this is that if US companies want to be able to transfer data over from the EU to the US long term (there are ways they can do it for now), the US government needs to vastly reform its surveillance practices. Well, assuming there was a competent government that actually cared about these things. I'm a bit worried that the current administration will just ignore this or use it to attack the EU, which would be somewhat disastrous for US internet companies.

I've seen some people saying that this is a ruling against the internet companies and their data collection practices, but that's not really accurate. The problem is not so much that -- it's how the NSA spies on people with that data (with or without cooperation of the companies). This really should lead to the US internet industry pressuring the US government to stop mass surveillance -- just like we said four years ago.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data protection, eu, gdpr, mass surveillance, max schrems, nsa, privacy shield, surveillance
Companies: facebook, noyb

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 16 Jul 2020 @ 2:02pm

    Re: Good For The Gander

    I always thought it was a scam anyway. The US and the EU have multiple intelligence-sharing agreements where the US can launder data from the EU and vice-versa through various means.

    The whole Privacy Shield agreement was just a fancy way of putting lipstick on a pig.

    Then again, that's how this game has always been played. Each country spying on the other so they can claim they're not spying on their own citizens. It's a clever loophole.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.