A couple of weeks ago we wrote about the fact that it appeared that the EU Court of Justice was likely to throw out
the EU-US data protection safe harbor as invalid, following a case brought over the NSA's snooping on US tech companies -- and now it has happened
. The "the EU-US data protection safe harbor" may sound boring, but it's actually been fairly important in making sure that US internet companies can operate in Europe. It's been under attack for some time from those who feel that these American companies don't take European privacy interests seriously enough, but it's really the NSA and its idiotic "collect it all" mentality that has brought the whole structure crashing down. Many will celebrate this, but probably for the wrong reasons. As it stands right now, this result is undoubtedly bad for the internet. What happens next is key. If you want to blame anyone... blame the NSA. And if the US wants to fix this mess, it needs to stop mass surveillance.
The case was brought by Max Schrems, an Austrian privacy activist who argued that the NSA's PRISM surveillance program (a program that resulted from Section 702 of the FISA Amendments Act, and enables the NSA to request certain information from internet companies, once approved by the FISA Court) violates the safe harbor. The safe harbor itself was established back in 2000 in order to allow internet companies to transfer data from Europe back to the US, with a promise that the privacy of that data would be kept at a similar level as if it were in Europe. The process for getting such safe harbor protections is something of a joke (we've gone through it here at Techdirt), and mostly involves throwing money at an organization that takes money to make sure your policies comply with the safe harbor requirements. Like so many regulations, it really seems to only serve to shift money to those who make sure you comply.
Still, losing those safe harbors can really shake up the internet -- and not necessarily in a good way. While I'm sure some (probably short-sighted) privacy advocates will cheer on this result, it's going to make a mess of things for the time being. Europe has been working on a new data protection directive to update the old one (which the safe harbor is based on) and early indications are that it will be a mess, and potentially hazardous to free speech rights. In addition, the US and EU have been trying to negotiate a new data protection safe harbor anyway, and that hasn't been going smoothly, and this will continue to throw a wrench into things.
Big companies will likely be able to negotiate their way around this, but there will likely be some legal flareups in one or two countries, creating a mishmash of jurisdictional confusion over privacy rights. Smaller internet companies will now face much greater threats in doing business in Europe. Even worse, some are going to use this as an opportunity to try to fragment the internet, demanding companies keep data locally within country borders -- which actually will create more targets for mass surveillance, rather than fewer. Chances are that little will change in the immediate future -- as many companies will just keep right on doing what they're doing and hoping no one really cares. But the potential for people to bring lawsuits could shake things up.
In the specific case here, the Court of Justice found that the safe harbor was invalid, and thus it did not stop Irish officials from considering Schrems' complaint that Facebook violated his rights in making data available to the NSA. So that specific case still needs to move forward and should be interesting to watch.
In short, though, this is yet more damage directly done by the NSA and the US's ridiculous attitude towards mass surveillance, without any concern at all to the economic
costs that such mass surveillance creates for US companies. As the EFF notes in its response to the news
, the US brought this on itself with its idiotic mass surveillance efforts. This end result is a mess that could lead to greater fragmentation of the internet, which won't do anything to better protect people's privacy (and, actually, might make it more exposed). The only logical way forward is to move away from mass surveillance and towards a more comprehensive view of privacy that takes into account the public's rights -- including the right to free expression. Danny O'Brien at EFF sums it up nicely:
That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you'll find the NSA—or other European states, or even your own government— breaking into those systems to extract it.
What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.
There's only one way forward to end this battle in a way that keeps the Internet open and preserves everyone's privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.
The ruling today is not a win for privacy. It creates a bigger mess, but it's one that needs to be cleaned up at the source
, and that's where governments (and not just the US government) are going with mass surveillance. Unfortunately, there doesn't seem to be any indication that this is what's going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won't change anything, but which may just be more expensive for companies. That's a mistake. There's a way to fix this mess and it's to stop mass surveillance.