The international fallout over Edward Snowden’s leaks about U.S. surveillance operations continued Tuesday, as the top European court ruled that the National Security Agency is violating the privacy rights of millions of Europeans.
Although the decision by the European Court of Justice is likely to do little to actually curb NSA spying, it could become a major headache for thousands of companies on both sides of the Atlantic.
The court scrapped a “safe harbor” agreement between the United States and the European Union that allowed companies like Google, Facebook, and Amazon to freely store Europeans’ data on U.S. servers. The court held that, because of the NSA’s “mass and undifferentiated” surveillance, the United States lacks the adequate privacy protection required by EU law.
“Permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” the judges wrote. The Court of Justice is Europe’s highest court, and its opinion cannot be appealed.
The ruling could empower each EU nation’s individual privacy regulator to investigate company data practices. Although tech companies have been watching the ruling especially closely, it could also affect any businesses that send customer records or human-resources information to the United States. “It’s a sad day for European privacy and a sad day for businesses on both sides of the Atlantic,” said Brian Hengesbaugh, a partner with the law firm Baker & McKenzie, who represents businesses in a variety of industries. “There will be a tremendous amount of upheaval.”
Companies could avoid a regulatory crackdown by adding language to their user agreements or by setting up internal company contracts. But compliance could be especially bewildering for small companies that lack teams of lawyers to interpret the decision.
Privacy advocates, who have long accused the United States of lagging behind Europe on privacy protection, celebrated the ruling. “Safe-harbor was designed to enable U.S. data companies to engage in pervasive commercial surveillance in the EU,” said Jeff Chester, the executive director of the Center for Digital Democracy, a U.S. privacy group. “The end of the current safe-harbor regime will be a major global victory for privacy.”
Companies and the U.S. government have been bracing for this decision since the court’s top adviser recommended throwing out the data agreement two weeks ago. The U.S. government wasn’t a party to the case, but officials in recent days have claimed the lawsuit was based on misperceptions about the NSA’s programs. “The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens,” the U.S. Mission to the European Union said in a statement last week. The NSA’s Internet surveillance program, the U.S. Mission said, “is in fact targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations.”
Because of the backlash to the Snowden leaks, the United States and EU had already begun renegotiating the details of the safe-harbor framework. Tuesday’s ruling adds pressure to reach a new deal quickly, although talks have reportedly been stalled over how much access U.S. intelligence agencies should have to European data.
The case was brought by Max Schrems, an Austrian graduate student, who accused Facebook of violating his rights by cooperating with the NSA. “This decision is a major blow for U.S. global surveillance that heavily relies on private partners,” Schrems said in a statement. “The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights.”
Edward Snowden tweeted his support for Schrems Tuesday, saying the activist had “changed the world for the better” and that the safe-harbor agreementwas “routinely abused for surveillance.”
In a statement, Facebook emphasized that it was only complying with U.S. law. “This case is not about Facebook,” the Internet giant said. “It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”
—This article has been updated.