Europe has killed the Safe Harbor agreement. At a stroke, Facebook and more than 4,000 others can no longer legally move personal data from European countries to the U.S.
It's causing utter panic in the Legal departments of companies that store European citizens' data. And it potentially opens the floodgates for a metric ton of privacy lawsuits across the member states of the European Union (EU). But this might not have happened, were it not for Edward Snowdon and his blowing of the NSA surveillance whistle.
In summary: the European Court of Justice (ECJ) ruled that the self-certified protections promised by Safe Harbor weren't worthy of Europe's ideal of privacy "as a human right." So they've kicked the whole caboodle back to the various information commissioners of the 28 member states.
This all came about because of an Irish complaint that U.S. companies were assisting the Five Eyes in mass surveillance of EU citizens. What a horrible mess.
In IT Blogwatch, bloggers break out the popcorn. Not to mention: Obligatory Safe Harbor choon...
Your humble blogwatcher curated these bloggy bits for your entertainment.
Mark Mark Scott's words, there may be trouble ahead:
[You're fired -Ed.]
Europe’s highest court ruled on Tuesday that a widely used international agreement for moving people’s digital data between the [EU] and the United States was invalid. [It] throws into doubt how global technology giants like Facebook and Google can collect, manage and analyze online information from their millions of users in the [EU].
[The] decision cannot be appealed. ... The court said that the data-sharing agreement allowed American government authorities to gain routine access to Europeans’ online information [which] infringes on Europeans’ rights to privacy.
Under the...safe harbor agreement, more than 4,000 European and American companies — both tech and nontech businesses — have been expected to treat [data] with the same privacy protections the data had inside the region. But European privacy campaigners...contend[ed] that American data protection rules do not offer the same protections. [It] highlight[s] the different approaches to online data protection by the United States, where privacy is viewed as a consumer protection issue, and Europe, where it is almost on a par with such fundamental rights as freedom of expression. MORE
Duncan Robinson and Murad Ahmed tag-team to talk thuswise:
The EU’s top court has suspended a transatlantic data-sharing deal, leaving internet companies such as Amazon and Facebook scrambling. [The ECJ] ruled data protection authorities across Europe...have the authority to suspend data transfers to the US.
The court declared the agreement invalid because it stops Europe’s data protection watchdogs intervening on behalf of citizens. ... The ruling will also complicate negotiations between Brussels and Washington over a new agreement. ... The decision will also cause consternation among intelligence agencies.
The run-up to the decision had been marked by a diplomatic row between the US and the ECJ, which Washington had accused of making “inaccurate assertions”...an ECJ advocate general accused the US government of carrying out “mass and indiscriminate surveillance.” MORE
And Natasha Lomas crunches the background:
The Safe Harbor executive decision dates back to 2000, and allows U.S. companies to self certify to provide “adequate protection” for the data of European users.
The rules were already under review by the European Commission, in the wake of the Snowden revelations. ... The ECJ’s judgement is the culmination of a 2013 legal challenge by European privacy campaigner Max Schrems...in the Irish courts [which] dismissed the complaint, on the grounds that the European Safe Harbor agreement governed such data flows — referring the case to the ECJ. The latter has now ruled that European data protection authorities cannot rely on...Safe Harbor.
In a last minute PR scramble...both the U.S. mission in Europe and...the office of the US director of national intelligence, have been attempting to argue that U.S. intelligence operates ‘targeted’ not mass surveillance, despite the dragnet approached detailed in the Snowden documents. ... Such interventions have clearly failed to sway the court [which] opens U.S. cloud businesses to privacy challenges if they are processing E.U. data in the U.S. MORE
Some might say it's all Max Schrems' fault:
I very much welcome the judgement of the Court. [It] draws a clear line. It clarifies that mass surveillance violates our fundamental rights. ... Governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law. ... US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.
[It's] also a victory against the Irish Data Protection Commissioner (DPC), who has maintained until the end of the procedure, that this case should not be dealt with because it was ‘frivolous.’
US companies that obviously aided US mass surveillance (e.g. Apple, Google, Facebook, Microsoft and Yahoo) may face serious legal consequences...when data protection authorities...review their cooperation with US spy agencies. MORE
And which are these 4,000+ companies we're talking about? Simon Hania obliges:
To avoid incriminating companies, US Safe Harbour site is down. [But] Internet Archive still has it. MORE
Meanwhile, Paul Bernal thinks laterally:
It's good that the #CJEU mentions Snowden explicitly in their press release. Now, some nation in the EU, offer him asylum!
He's performed a critical service for the whole of the EU. MORE
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.