This week’s ruling by the European Court of Justice striking down the 2000 “Safe harbor” agreement between the European Union and and the United States was celebrated as vindication by privacy activists, who saw the decision as a first major international consequence of the Snowden revelations detailing the extraordinary extent of mass surveillance being conducted by the U.S. and its allies.
“The safe harbor agreement allowed U.S. companies to self-certify they abided by EU-strength data protection standards,” Politico’s David Meyer reported. “This gave them a relatively simple mechanism to start legally handling Europeans’ personal data.”
That simple mechanism did not abide by the Commissions own privacy standards, the Court decided.
“The court, by declaring invalid the safe harbor which currently permits a sizeable amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law,” the EFF’s Danny O’Brien wrote.
A new Safe Harbor agreement is currently being negotiated and the Court’s ruling seems designed to speed that up. But for now many companies — especially smaller companies — and users are now in a sort of a legal limbo.
And that legal limbo may not be great news for your privacy, according to F-Secure Security Advisor Sean Sullivan, as it creates legal uncertainty that could easily be exploited by government spy agencies and law enforcement.
“Uncertainty is their bread and butter,” he told me.
To Sean, this ruling and the urge to break the old agreement without a new one yet in place represent an “old world” view of the Internet where geography was key.
The U.S. government has suggested that it doesn’t need to respect borders when it comes to companies like Microsoft, Facebook and Google, which are headquartered in the U.S. but do business around the world. Last month, the Department of Justice said it could demand Microsoft turn over Hotmail data of any user, regardless where s/he lives.
“The cloud doesn’t have any borders,” Sean said. “Where stuff is located geographically is kind of quaint.”
You can test this out by using an app like Citizen Ex that tests your “Algorithmic Citizenship.” Sean, an American who lives in Finland, is identified as an American online — as much of the world would be.
What Europe gave up in privacy with Safe Harbor was, to some, made up for in creating a cohesive marketplace that made it easier for businesses to prosper.
Facebook and Google warned that the U.S.’s aggressive surveillance risked “breaking the Internet.” This ruling could be the first crack in that break.
Avoiding a larger crackup requires a “new world” view of the Internet that respects privacy regardless of geography, according to Sean. He’s hopeful that reform comes quickly and democratically in a way that doesn’t require courts to force politicians’ hands.
The U.S. showed some willingness to reform is surveillance state when it passed the USA FREEDOM Act — the first new limitations on intelligence gathering since 9/11. But more needs to be done, says the EFF. The digital rights organization is calling for “reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333.”
Without these reforms, it’s possible that any new agreement that’s reached between the U.S. and Europe might not reach the standards now reaffirmed by the European Court of Justice.
Helsinki will play host to the first summit between Vladimir Putin and Donald Trump, two…
July 12, 2018
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018