At a time when US GDP is expected to drop to levels not seen since the Great Depression, the surveillance practices of the US government are taking another blow to big and small businesses alike.
On Thursday, in a ruling with huge implications for US companies, the EU’s highest court invalidated a data transfer agreement between the European Union and the United States, known as the “Privacy Shield.”
The disappearance of the Privacy Shield is directly attributable to the breadth of surveillance by the US government, which traps the data of countless Europeans in a spy apparatus that is fundamentally at odds with EU privacy law. For the more than 5,000 US companies across the country that rely on Privacy Shield for transatlantic data transfers, the EU court’s decision is a serious problem. But there is a direct way out of this dilemma: a comprehensive surveillance reform of the United States.
The case before the EU Court of Justice, known as Schrems II, raised two key questions: first, whether the scope of US surveillance means that the United States does not “adequately” protect Europeans’ privacy rights; and second, if the United States’ resources for illegal surveillance are inadequate under EU law. The court’s response to both questions was yes.
In particular, this is not the first time that the EU Court of Justice has raised concerns about the vigilance of the United States.
Under European law, companies have long faced restrictions on the transfer of large volumes of personal data, that is, data capable of identifying individuals, to countries with weaker privacy rules. To address these restrictions, in the 1990s, the European Union and the United States negotiated an agreement known as “Safe Harbor”. The agreement allowed companies doing business in the European Union to transfer data to the United States, based on the theory that the United States guarantees an adequate level of protection for that information.
But in 2013, Edward Snowden’s revelations about NSA warrantless surveillance highlight that theory’s lie. In response, an Austrian lawyer and privacy activist, Max Schrems, filed a lawsuit against Facebook Ireland. He argued that his reliance on Safe Harbor to transfer data to the United States was illegal, given the extent of NSA espionage. The case made its way to the EU Court of Justice, and in 2015 the court struck down Safe Harbor, largely due to its concerns about the breadth of U.S. government oversight.
Following that ruling, the United States and the European Union were quick to negotiate a new agreement, called the Privacy Shield, ignoring warnings from civil rights groups such as the United States Civil Liberties Union that surveillance law reforms would be necessary to ensure compliance with the EU privacy law. The court upheld those warnings today and held that the new agreement does not protect personal data from the underlying problem: the scope of US surveillance and the lack of adequate resources.
As I explained in expert testimony in the Schrems II case, when people’s data is transferred from Europe, it is vulnerable to mass surveillance without a warrant by the US government under two broad espionage authorities: Section 702 of the Foreign Intelligence Surveillance Law and Executive Order 12.333.
Under Section 702, the United States claims the power to target virtually any European to acquire “foreign intelligence,” defined broadly. It extracts information directly from US technology companies and collects communications while they are in transit on the Internet. Additionally, pursuant to Executive Order 12,333, the government collects huge volumes of private data in bulk outside the United States. And there are few (if any) effective remedies for this surveillance, largely because the United States government hardly ever notifies people subjected to this espionage. Without warning, it is extremely difficult to challenge surveillance in the United States court.
The EU court also held today that European data authorities must stop data flows under a second data transfer mechanism, known as “Standard Contractual Clauses”, to countries that do not guarantee an adequate level of protection of the data. Privacy. Based on the court’s analysis, it is clear that United States law will not pass that test.
To be clear, today’s EU court ruling will not “break the Internet.” Companies in Europe will still be able to execute individual data transmissions where, for example, users explicitly consent to the transfer of their data. But what today’s ruling does is radically alter the landscape of large-scale data flows. Companies that relied solely on Privacy Shield are left behind. For companies relying on standard Contractual Clauses, it will be extremely difficult, if not impossible, to outsource significant volumes of data to US tech companies for processing or backup once Data Protection Authorities act.
American surveillance has become a financial responsibility for American companies trying to compete in a global market. The only solution to these problems is a comprehensive surveillance reform, not another attempt to hit to cover up fundamental problems with American law.
Congress must act now to curb NSA warrantless espionage and to ensure that people have a meaningful opportunity to challenge government surveillance.
Ashley Gorski is a Senior Attorney for the American Civil Liberties Union (ACLU)
.