EU top court: NSA spying means US servers are not a fit home for Europeans' data

Historically, US companies have been able to get around the (relatively stringent) European data-protection rules thanks to a "Safe Harbor" agreement between the US and the EU — but Max Schrems, an Austrian privacy activist, has successfully argued that the NSA's mass surveillance programs violate European law and invalidates the Safe Harbor.

The crux is the European legal right to see and know about the data that's been collected about you. The NSA's Prism program and other programs that exfiltrate data from private companies' databases is shrouded in strict secrecy — until the Snowden revelations in 2013, the mere existence of these programs was a closely guarded secret — and so the court ruled that US companies may no longer automatically move Europeans' data to US-based servers.

Two important facts about the ruling: first, this doesn't mean that Europeans' data may not be stored in the US, it just means that the storage can't be automatic — it must be reviewed on a case-by-case basis.

Second, and more important: this doesn't mean that Europeans won't be subjected to mass surveillance, including mass surveillance by the NSA.

Many European countries have spying legislation that mirrors the US principle that foreigners can be spied on with impunity, and also its attitude that since there's no way to tell whether you're intercepting your own citizens' data or foreigners' data, you can just spy on everyone, including your own nationals while they're within your own borders. The UK has long embraced this principle, and France is now adopting it, too.

Meanwhile, European spy agencies work closely with the NSA, and even trade the right to surveil their own countries in exchange for access to their own populations — some of the biggest EU member-states are all over this: the UK, Germany, and France (and many others).

So the real losers here are the big tech companies, not the spy agencies. They'll have to do stylized dance-routines to comply with the ruling and the inevitable tightening of the movement of data between servers. But the NSA, GCHQ and other spy agencies will target data-centers wherever they are, and the spy agencies of European nations will surveil their own populations and foreign populations, covertly and overtly harvesting Europeans' data from the data-centers in their own borders, and, often, handing it straight to the NSA, who'll move it to its US data-centers like the titanic facility in Bluffdale, Utah.

If the European Court of Justice wants to end mass surveillance of Europeans, it can only do so by banning mass surveillance — by ruling that laws that treat foreigners' data as fair game are unconstitutional. If US tech giants want to get loose from a farcical, expensive, and pointless exercise that continues to treat them as adjuncts to the world's spy agencies, they need to lobby the US government to change the laws under which it treats foreigners as fair game.

What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.

There's only one way forward to end this battle in a way that keeps the Internet open and preserves everyone's privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.

For the United States, that means reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333. These are the secretive and overbroad regulations that permit NSA to use PRISM and a raft of other programs to spy on Europe and beyond. Equally important, the United States must revisit the laws, regulations, and institutional processes that allow these programs to fester in the dark, largely unaccountable to the public. It is the failure of these laws to adequately rein in the intelligence services that led to this case, and will lead to many more.

No Safe Harbor: How NSA Spying Undermined U.S. Tech and Europeans' Privacy
[Danny O'Brian/EFF]


(Image: 123Net Data Center (DC2), 123net, BY-SA)