Too many spies, too few rules leave no Safe Harbor for anyone

The European Court of Justice, our top legal authority, has struck down the fifteen year old agreement with the US that lets American companies store data about European citizens. It did so because Edward Snowden’s revelations about the operations of American and British security services have shown that the law cannot be complied with - a situation that leaves everyone concerned in an epic legal limbo with no clear way out except through top-level political decisions that, to date, our leaders have desperately tried to avoid.

At stake is the regulatory, legal and commercial landscape of every industry that operates internationally, uses the internet and stores personal data. Thus also, our individual privacy. American cloud service providers may have to decide whether to ban European users or risk significant legal exposure - and that’s just for starters.

The legal rule in question, the US-EU Safe Harbor agreement, is simple in concept and sensible in intent, although its effectiveness has long been questionable. It tries to solve the paradox that Europe has much stronger data protection and privacy laws than America, but that many EU citizens and companies want to use American services - like Google, Apple, Facebook and so on. Under Safe Harbor, an American company self-certifies that it follows the stricter EU rules. By so doing, is allowed to operate in the EU.

This is no longer true. It is plausible that all of the above companies, as well as any EU company that uses American services to store or manipulate EU citizen data, are operating illegally. That remains to be shown - country regulators still have to make the final call - but the Court of Justice has made it clear that Safe Harbor no longer applies, because American law cannot support it.

Maximilian Schrems, an Austrian citizen, precipitated this. He took Facebook to the regulators in Ireland for non-compliance. Facebook’s EU operations are based in Ireland, but the company also stores data in the US. Schrems claimed - and after a series of referrals upwards the Court of Justice upheld - that Snowden’s evidence for wholesale secret data theft by American and British security services, the NSA and GCHQ, meant that it was impossible for Facebook to self-certify. 

The Court of Justice found that the legal protections within the US cannot give EU citizens access to see what was actually happening to their data, nor any redress against privacy violations. Both of these are absolute European legal requirements, and Safe Harbor provision could not guarantee them, no matter what promises were made. In the words of the court ruling, all this “... compromises the essence of the fundamental right to effective judicial protection”.

In other words, the operations of the security services mean that EU law about personal privacy cannot be obeyed. Although this decision is only about American companies, it is possible that GCHQ’s activities within the UK and the EU would result in a similar decision being made, were it to be tested, for data stored within Europe by European companies.

Have the security services been operating illegally? Yes, no, and who knows.  The UK’s Investigatory Powers Tribunal - which is as close as British citizens get to challenging the security services in court - ruled in February that the NSA and GCHQ had been operating in breach of human rights laws for many years. The main thrust of the decision wasn’t that data had been collected illegally - a separate matter, still under discussion -  but that it had been shared under an illegal regulatory regime, and that people weren’t made aware that they could be under attack nor that there were ways to address this. You may not have heard of the IPT: this is the first time since it was formed in 2000 that it’s found against UK state agencies.

This isn’t a minor legal blip. Citizens now know that their human rights, including those of privacy and redress in court against state injustice, are being bypassed. Companies now know that they cannot comply with the rules the state has laid down: an intolerable situation. Neither citizens nor companies can fix this problem: at this stage, it becomes a political issue, and one of very high importance. We know the burning commitment to free trade that defines contemporary democratic politics in most of the Western world: it is now under a threat no terrorist could dream of emulating.

To fix this, the rule of law must be reinstated without ambiguity or delay. A strong, transparent regulatory environment is needed to bring the security service back under control - something politicians have been extremely reluctant to embark upon. With the security services themselves realising that losing the trust of the people they protect is more dangerous than even the most diligent spy - and Snowden on his way to becoming the first true hero of the 21st century internet - there can be no better time to reboot, rebuild and restore the basic mechanisms of trust that in the end legitimise the state itself. It cannot abdicate its responsibilities to obey the law any longer.


« Top Tips: Securing your valuable software-based intellectual property


IBM Watson, Bob Dylan and the limits of machine intelligence »
Rupert Goodwins

Rupert Goodwins expected to be an engineer, but journalism happened. As an engineer, he worked in defence, for Sinclair Research and Amstrad, in startups and for himself. First appearing in print in 1982 and online in 1984,  he's written about all aspects of technology in business for most of the UK nationals and tech magazines, and was most recently editor of ZDNet UK. Tries to solve more problems... See More

  • twt
  • Mail


Do you think your smartphone is making you a workaholic?