WASHINGTON D.C. — Today, the European Court of Justice struck down the 2000 “Safe Harbor” agreement that has allowed U.S. Internet companies like Facebook and Twitter to use personal data provided by EU citizens. The ruling will make it harder for Europeans to access American Internet services, and for Europeans and Americans to interact with each other online.
The case was brought by Maximilian Schrems, an Austrian privacy advocate in 2013, in the wake of Edward Snowden’s revelations about the National Security Agency’ surveillance. Schrems argued that Facebook’s adherence to the Safe Harbor framework was inadequate to protect his privacy because it did not prevent unrestricted access by the U.S. government to his data, or allow him any redress over how his data is used. The ruling allows each EU country’s national data protection authority to restrict such data flows.
“This could be a disaster for Internet users everywhere and for U.S. Internet companies,” said Berin Szoka. “The decision allows European regulators to start building a Great Privacy Wall around Europe to stop data from flowing to the U.S. — not because Facebook or any U.S. company did anything wrong, but because U.S. national security and law enforcement agencies can too easily access private data. It’s a giant roadblock in the way of what has allowed the Internet to flourish: the free flow of information across national borders.”
“If the Internet is to continue to be an open, global medium, the Administration must move swiftly on a new Safe Harbor agreement,” concluded Szoka. “A Safe Harbor 2.0 will require greater transparency about data collection and rigorous compliance—not just by U.S. companies, but by U.S. government agencies, which were not bound by the 2000 Safe Harbor agreement. But Europeans won’t agree to a new deal until Congress passes basic privacy reforms.” Szoka highlighted two legislative reports that will be essential to any deal:
- “Despite overwhelming bipartisan support, Congress has dawdled for over five years on legislation requiring law enforcement to obtain a warrant before accessing stored communications like email — a concern hinted at by the ECJ decision, which does not focus solely on NSA surveillance. Critically, this protection would apply to non-U.S. citizens.
- Bipartisan legislation would give EU citizens the same redress rights under the 1974 Privacy Act for at least the non-sensitive data held by the U.S. government. The Judicial Redress Act would at least begin to address the ECJ’s strong concern about a lack of remedy for privacy violations by the U.S. government.”
“If Congress had moved faster to pass privacy reforms after the Snowden leaks, this decision might have been avoided,” said Berin Szoka. “The ECJ’s central concern, collection of personal data on a ‘generalised basis’ without ‘objective criteria,’ was largely addressed by USA Freedom, the legislation Congress passed in June prohibiting most ‘bulk collection’ of personal data. That reform, not mentioned by the ECJ, was apparently too little too late: it didn’t go far enough, and it came after ECJ had already heard oral arguments. On its own, USA Freedom might not have been enough to change ECJ’s gestalt analysis of U.S. privacy protections, but it will be essential to reestablishing U.S. credibility on privacy.
“The longer this fight drags out, the less leverage the U.S. will have,” concluded Szoka. “EU regulators may start using this morally righteous decision as a pretext for digital protectionism. If Congress stalls, America’s leadership of the Internet may be lost forever.”
###
We can be reached for comment at media@techfreedom.org. See more of our work on surveillance, including:
- “Senate Refuses to Poison the USA FREEDOM Act,” a statement from TechFreedom
- Coalition letter opposing data retention mandates on the private sector
- “McConnell is Playing a Dangerous Game with the PATRIOT Act,” a statement from TechFreedom
- “The Senate Should Move Quickly on Surveillance Reform,” a statement from TechFreedom
- Coalition letter urging Senator McConnell Not to Fast-Track the PATRIOT Act