The European Court of Justice on Tuesday invalidated an agreement between the U.S. and the European Union that allowed Internet companies to exchange data across the Atlantic, citing concerns about American spy agencies surveilling Europeans’ data — a battle Microsoft has been fighting with the Department of Justice for the last year.
According to the court, more than 5,000 U.S. and European tech companies can’t be trusted to maintain EU privacy standards for Europeans’ data as a result of mass U.S. surveillance programs revealed by former National Security Agency contractor Edward Snowden in 2013.
“Europe’s high court just struck down a major law routinely abused for surveillance,” Snowden tweeted Tuesday. “We are all safer as a result.”
Under the so-called “Safe Harbor” agreement, which took effect in 2000, companies like Facebook were allowed to self-certify they were transferring and processing the data of EU citizens in compliance with EU privacy standards.
According to Snowden, the agreement was used to facilitate surveillance practices legalized in Section 702 of the FISA Amendments Act, which allows the NSA to tap the physical infrastructure of the Internet, like undersea fiber cables, to collect and surveil the content of communications (not just metadata) in transit between borders.
Without the agreement, companies will have to draw up specific contracts between the two parties detailing the type of data involved and the steps being taken to secure it for export, though European regulators suggest companies can rely on side agreements for protection.
The European Commission plans to issue further guidance in the next few weeks, and the two sides have already spent the last year and a half working on an updated “Safe Harbor 2.0” agreement.
In the meantime, security firms like Symantec warn it will create “disruption and uncertainty” for companies and users, and establish “a nightmare administratively” according to a UK law firm.
The case began in Ireland shortly after the Snowden leaks, where privacy advocate Max Schrems asked the Irish Data Protection Commission to review the data Facebook moves across the Atlantic. The commission refused, and the case was referred instead to the European Court of Justice.
Ireland is also ground zero for another, more direct attempt by the U.S. government to access foreign data, which U.S. companies have been moving offshore in recent years in anticipation of Tuesday’s ruling. The Justice Department has been fighting Microsoft in court for the last year to gain access to user data stored in a Dublin server relevant to a drug trafficking investigation.
Microsoft argues since the server is based in Ireland, the department has to go through Irish authorities to access the data. The Justice Department argues that as a company based in the U.S., Microsoft must turn over the requested emails regardless of where they’re stored in accordance with the Electronic Communications Privacy Act (ECPA) — Reagan-era legislation allowing the government to subpoena “business records” from U.S. companies after they’re 180 days old.
During a discussion about the case at the American Enterprise Institute Tuesday, information security and privacy lawyer Bryan Cunningham described the issue as an “existential problem” for the companies he represents, and the court’s decision a “wake up call” on the need for ECPA reform and a new framework for facilitating legal, transparent law enforcement data requests across borders.
“We’ve seen what happens when the government feels constrained in getting the information it needs — it finds ways to break into the connections between American service providers overseas,” Cunningham said, alluding to the the type of bulk surveillance practices referred to by Snowden. “It finds ways to get the data, and I don’t think we want to incentivize that.”
Without that framework, Cunningham said, countries will inevitably turn to more secret surveillance methods to obtain data from tech companies, already suffering a loss of consumer trust for cooperating or appearing to have cooperated with U.S. intelligence agencies, and who already face a different set of sanctions on both sides of the Atlantic for failing to adhere to privacy standards in the EU, or cooperate with law enforcement requests in the U.S.
“Thousands of American companies use [safe harbor] to lawfully transfer data back from the EU about EU citizens to the United States,” Cunningham, who previously served as deputy legal adviser to then-National Security Adviser Condoleezza Rice, told the panel at AEI just hours after the EU ruling.
“I think the summary of it is ‘chaos,'” Cunningham said of the court’s opinion. “And this is all of a piece, because the reason why the European governments came to this position and the reason this litigation got so far, I believe, is because of the Snowden revelations and European citizens’ concerns over U.S. government activity.”