The US is No ‘Safe Harbor’ for Citizens’ Data

safe harbor

“safe harbor”, by manolo guijarro on Flickr (CC BY-NC-ND 2.0)

What happens to your Facebook data — your identity information, photos, links and “likes” — when you share it outside of the US? Plenty. Your data will flow from your computer, to the nearest servers of the company, and eventually land at Facebook's home servers in California, where it will likely be mined by Facebook for commercial gain and subject to snooping by the NSA.

What laws protect your information along the way? Not many. But a recent court ruling should change this for European Internet users.

Until this month, a “Safe Harbor” regulatory policy agreement between the US and EU allowed companies like Facebook and Google to self-regulate the transfer of data between Europe and the US. It is now formally dead. Unilaterally approved by the European Commission in 2000, the policy allowed companies to promise that they would abide by EU privacy laws when handling the data of EU persons, without needing to provide explicit proof of their compliance. Among other things, it required companies to notify users of the collection and use of their data, allow them to opt out of its collection or transfer, and keep it secure.

Since the Snowden revelations, it has become increasingly difficult to believe that US companies uphold EU privacy standards when processing EU user data.

Safe Harbor infographic in French, created by Ledieu Advocats, a French law firm.

Safe Harbor infographic in French, created by Ledieu Advocats, a French law firm.

The policy was unexpectedly killed on October 6 by the European Court of Justice which ruled that the United States’ mass surveillance regime makes it impossible for companies to abide by the policy in full. The Snowden leaks revealed the degree to which US technology companies bend to the demands of government, and indicated to the EU court that US companies therefore could not guarantee the same privacy protections as their European competitors.

The case began in 2013, when Austrian privacy activist Maxmilian Schrems filed a lawsuit in Ireland (home of Facebook's EU headquarters), in the wake of the Snowden revelations. Schrems challenged Ireland's Data Protection Commissioner to investigate Facebook's compliance with European data privacy laws, as it had pledged to do under the Safe Harbor agreement. When the Commissioner refused, Schrems took them to court.

The Court of Justice’s top legal adviser, Yves Bot, wrote that “Interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance.” In an initial response, Schrems wrote:

This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.

Big or small step for Europeans’ right to privacy?

Experts as well as tech observers in the media were quick to offer analysis and recommendations with many arguing that the decision should serve as a wakeup call to the United States to reform its surveillance law.

While French data privacy government watchdog National Commission on Informatics and Liberty (CNIL) welcomed it as a “key decision for data protection,” many privacy rights defenders celebrated the decision. French digital rights group La Quadrature du Net wrote:

This is a landmark ruling! By recognising that the surveillance led by the NSA on personal data hosted in the US was prejudicing EU citizens, the CJEU upholds what Human Rights organisations and MEPs were calling for: conditions surrounding the transfer of personal data must be revised, in the light of legislations regarding surveillance and the practices that Edward Snowden has unveiled.

Human rights lawyer Renata Avila, who serves as campaign lead for the Web We Want initiative, joined LQDN in celebrating the victory: “That Max Schrems, a 28 year old law student, could successfully challenge a long-standing international agreement underlines why we must preserve the Web as a space for debate, dissent and progress,” she said in a press statement.

Experts say US surveillance agencies should be unfazed by the ruling, but that it will have significant implications for companies whose business model depends on mass data transfers:

Pour les services de renseignement américains, cela n’aura pas la moindre conséquence à terme. Les documents Snowden ont montré l’incroyable capacité de la NSA à aller chercher la data là où elle est, et où qu’elle soit. Ils s’adapteront très vite à cette nouvelle donne. Pour les GAFA, par contre, c’est un coup très dur, particulièrement pour ceux dont le cœur du modèle économique repose sur la surveillance privée : Google et Facebook (Apple n’ayant pas grand chose à craindre, pour le coup, Amazon un peu plus).

US intelligence agencies won't feel any effects whatsoever over time. The Snowden leaks demonstrated the NSA's unbelievable ability to pick up data anywhere and everywhere it is. They will adapt very fast to the new order. For the GAFA however, the blow is heavy, especially for those whose core economic model is based on private surveillance: Google and Facebook (Apple having almost nothing to fear in this case, Amazon a bit more).

Some users saw the Court's decision as a long-deserved blow to the infamous “GAFA”, the US giants of the Internet Google, Amazon, Facebook and Apple:

Our favorite front page this Wednesday, in the wake of the UECJ judgment on Safe Harbor? @tazgezwitscher of course!

US-based tech blog TechCrunch speculated that the shift may prompt more companies to begin using strong encryption technology that would allow them to comply with (and exceed) European requirements. While it may seem most painful for the GAFAs of the world, these companies have substantial resources that they can put toward implementing such changes. In contrast, many critics pointed out that small companies may stand to lose the most from the ruling, as they have fewer resources to address the types of operational changes that a new policy will likely require.

The small and medium size business might be victims of the striking-down of Safe Harbor

European data protection authorities have given national governments and the European Commission three months to determine what mechanisms will replace the Safe Harbor system. And open Internet advocates in the EU are ready for the next round. La Quadrature du Net states:

We ask all French and European representatives to draw the necessary conclusions and work towards protection of citizens within the EU, especially by invalidating monitoring laws currently under consideration in many European countries, and notably in France.

Ellery Roberts Biddle contributed to this article.

Start the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.