The biggest threat internet has ever seen is related to a sentence of the European Court of Justice, its consequences could block the data flow between countries closing internet into “areas”. Last October, the European Court of Justice struck down the Safe Harbor agreement, a 15 year old transatlantic arrangement that permitted U.S. companies to transfer data, such as people’s Google search histories, outside the EU.
In invalidating the agreement, the ECJ found that the blurry relationship between private-sector data collection and national security in the United States violates the privacy rights of EU citizens whose data travel overseas. Basically ECJ states that since NSA can force USA companies to disclose data on their datacenter without a formal trial or without warning European governments when data are related to European citizens, Safe Harbor is not effective anymore.
We should remember that Safe Harbor was created to allow USA companies to store European citizen personal data with the same level of protection and privacy that those data would have had in Europe. Snowden’s revelation on NSA activities makes public that even if European data should be protected by this agreement, as a matter of fact any USA company can be forced to deliver those data to the USA government without noticing the data owners and relative government making the agreement, de facto, inapplicable. ECJ pointed out that this is due to a unilateral behavior of USA government and the decision to struck down Safe Harbor agreement was a technical consequence.
All started in 2013 when Max Schrems, an Austrian law student, brought a case in Ireland against the Safe Harbor agreement based on information revealed in the Snowden files. He argued that the NSA’s spying showed that there was no effective data protection regime in the United States and that the Safe Harbor agreement could not protect European citizens from mass surveillance. Ireland’s High Court appeared to agree, finding that “the Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens. Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programs.”
The ECJ, in its ruling, cited the Irish High Court’s findings on the Snowden documents and directly tied the fate of the Safe Harbor program to the blurring of private sector data collection and public surveillance in the United States, concluding that national security, public interest, and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.
The decision leaves U.S. technology companies with extensive international operations on shaky legal ground. Although some informed American observers anticipated the decision, most were caught flatfooted; some seemed downright bewildered. Myron Brilliant, the executive vice president of the U.S. Chamber of Commerce, said, “It is particularly alarming that this longstanding agreement has been invalidated with no discussion of a transition period or guidance regarding how companies should comply with the law.” Critics of the decision, including U.S. Commerce Secretary Penny Pritzker, argue that it will jeopardize the transatlantic digital economy, costing U.S. firms billions of dollars.
Without a new agreement, there is a significant risk that personal data will have to be quarantined within Europe, creating what Eric Schmidt, the executive chair of Alphabet (previously Google), called “percountry Internets.” If that occurred, he continued, it could risk destroying “one of the greatest achievements of humanity.” Some critics, without any consideration on what caused ECJ ruling, also charge that the EU is acting unilaterally to protect its businesses against foreign competition, damaging the open, democratic nature of the Internet. A funny statement coming from a country that, basically, pretended to rule on the internet since the beginning and continuously build protectionist barriers to protect its industry.
Over the past 70 years, the United States has built a global system in which information, investment, and trade move quickly and easily across borders. That openness has created an interdependent world in which the national rules and preferences of one country can shape the rules and preferences of others. The outsized power of the U.S. economy usually gives that role to the United States.
Despite publicly promoting an open and secure Internet, it has privately undermined the encryption of online communications and surreptitiously created vast international surveillance systems in cooperation with close allies, including the United Kingdom. In short, the United States has leveraged the world’s reliance on its economy to influence and spy on foreigners.
This strategy is reaching its limits, and the Safe Harbor decision powerfully demonstrates that Washington needs to wake up to the strategy’s costs.
Although the ECJ has no jurisdiction over the U.S. National Security Agency (NSA), it does have jurisdiction over the European operations of American firms. Its ruling demonstrates that the more Washington tries to leverage the interdependence of the global system for its own security goals, the more other states and their courts will actively resist a U.S. centered global economy. But mostly ECJ has jurisdiction over European rights, and it has a clear mandate to protect European citizen and its data.
Too often, policymakers in Washington mistakenly assume that the narrow selfinterests of the United States and its businesses should automatically go hand in hand with the global order they have helped create. When foreign regulators have sought to apply national rules to U.S. technology companies, the United States has accused them of having ulterior motives. U.S. President Barack Obama, for example, has interpreted foreign governments’ efforts to protect their citizens’ rights against U.S. companies as protectionism in disguise. Speaking in a February 2015 interview about European investigations into Facebook and Google, he said,
“Our companies have created [the Internet], expanded it, perfected it in ways they [Europeans] can’t compete [with]. And oftentimes what is portrayed as highminded positions on issues sometimes is just designed to carve out some of their commercial interests.”
Such claims are both wrong and politically unsustainable, protect European rights is a mandatory duty of every European government, even against USA requests.
When the United States targets states or individuals that are perceived as breaking the rules, such as Iran or Russia, it can usually persuade enough other states to join in, giving its actions a veneer of legitimacy. But when the United States breaks the rules itself in ways that undermine the basic constitutional guidelines of other countries, it should expect a backlash.
The United States had publicly proselytized for the free flow of information while secretly diverting these flows into NSA server farms. It had vigorously supported the global expansion of technology companies, championing the use of Twitter, for example, in prodemocratic movements such as those of the Arab Spring, while quietly requiring some of those firms to turn over troves of data and tapping into their servers overseas.
As U.S. actions have interfered with the basic rights of citizens abroad, they have drawn the ire of a different set of actors who are less easily cowed than politicians: judges, who often see their role as protecting fundamental constitutional protections rather than striking international compromises.
The ECJ has already struck down a measure requiring European communications firms to keep customer data for up to two years, in part because it feared that this information might leave the EU. Now the court has gone one step further, challenging the basis of the transfer of personal information from the EU to the United States.
The United States should recognize that globalization comes in different flavors and that Europeans have real and legitimate problems with ubiquitous U.S. surveillance and unilateralism.
The Safe Harbor dispute stems from the fact that the EU and the United States have fundamentally different understandings of how privacy should work in the digital age. Beginning in the 1990s, European countries developed comprehensive rules governing the collection and processing of personal information, overseen by independent regulatory agencies called “data protection authorities.” This approach to privacy was elevated to a fundamental constitutional right when the EU adopted its Charter of Fundamental Rights in 2009.
The United States, in contrast, lacks a comprehensive approach to privacy, relying instead on an idiosyncratic patchwork of specific—and, in some cases, dated—rules governing sectors as diverse as health care and video rentals.
The problem for the United States is that European regulations have long prohibited the transfer of data to countries that the EU considers to have weak privacy protections, among them the United States. Given the economic benefits of data exchange, the EU and the United States negotiated the Safe Harbor agreement in 2000 to work through these differences. As part of the arrangement, U.S. firms agreed to comply with a set of basic privacy principles overseen and enforced by the U.S. Federal Trade Commission.
In the past 15 years, more than 4,000 U.S. firms have come to rely on Safe Harbor to facilitate transatlantic ecommerce and to transfer data across jurisdictions.
The ECJ’s ruling jeopardizes all of that, U.S. firms have few attractive longterm options if they want to transfer data across the Atlantic. In the short term, EU rules still allow businesses to use contracts, for example, to transfer personal data to the United States. But such transfers are no better protected against U.S. state surveillance than Safe Harbor transfers were. Hamburg’s data commissioner has bluntly advised firms not to rely on these mechanisms and instead to simply keep their data on European servers. European data protection authorities have given Washington a few months’ reprieve to shape up but have threatened to take action if the United States has not reformed its privacy rules by the end of January 2016. They are demanding that the EU and the United States agree on a binding legal arrangement, such as a treaty, that guarantees European privacy rights by keeping data from U.S. intelligence agencies. If the United States does not amend its laws to protect Europeans, U.S. firms will likely need to Balkanize their data flows by quarantining European data in European data centers; otherwise, they will face sanctions from European data protection authorities.
Microsoft’s president, Brad Smith, warns that such fragmentation of the Internet risks a “digital dark ages” that could disrupt everything from creditcard payment systems to airline reservations, costing companies billions of dollars and threatening their global ambitions.
This is going to become a major issue between U.S. and the other countries, mostly EU (but U.K. of course). In the context of a criminal investigation, for example, the United States is now demanding that Microsoft hand over personal data housed in its data center in Ireland. Rather than requesting the data through the ordinary processes of intergovernmental exchange, in which the U.S. government would make a request to law enforcement officials in Ireland, the United States is using the global reach of its legal system to demand the data even in the face of opposition from both the Irish government and Silicon Valley companies that fear this move will further blacken their corporate reputations. A group of powerful technology giants, including Apple and Cisco Systems, has filed a “friends of the court” brief in support of Microsoft and against the U.S. government’s position.