Hear that? It’s the sound of panic, as it dawns on the US that from tomorrow it might not be able to slurp as much data from Europe as it wants... and thousands of multinationals bite their nails over their European client lists.
Europe’s top court will decide tomorrow if the US-EU Safe Harbor Framework is sufficient to protect EU citizens from US spying. In Advocate General (AG) Yves Bot’s opinion published less than two weeks ago, it is not.
The case was brought by Austrian law student Max Schrems who, following rogue sysadmin Edward Snowden’s revelations about the US’s Prism surveillance programme, complained to the Irish Data Commissioner that Facebook had passed his personal data on to the US National Security Agency in breach of his data protection rights.
The case is now before the European Court of Justice, having been kicked upstairs by the Irish High Court.
In his lawsuit, Schrems argues Prism allows “unrestricted access to mass data stored on servers in the US”, and Bot agrees. The AG’s opinion is not legally binding, but the court’s final ruling almost always follows his advice.
There was a swift backlash to the opinion from the US Mission to the EU, but on Monday even the US ODNI (Office of the Director of National Intelligence) felt the situation was so grave it must weigh in.
Robert Litt, General Counsel for the ODNI, claims the AG’s opinion “contains a number of inaccuracies”.
“The Prism programme – which is another name for foreign intelligence collection subject to judicial supervision under section 702 of the Foreign Intelligence Surveillance Act – is NOT based on the indiscriminate collection of information in bulk, as a report from the US Privacy and Civil Liberties Oversight Board makes clear,” said Litt in a statement.
“The programme can be used only to collect communications for an approved foreign intelligence purpose, such as combating terrorism or weapons proliferation, and the court must approve procedures that ensure that targets are appropriately chosen. The programme does not give the US 'unrestricted access' to data,” he continued.
“Even when the US does intercept communications of ordinary people — because, for example, those people are communicating with valid foreign intelligence targets — strict procedures limit how long they can be retained and how they can be disseminated,” said Litt.
He revealed that last year 90,000 people were the targets of surveillance, but did not elaborate on how many of them were from Europe, preferring to compare the figure to the 3.2 billion who use the internet worldwide.
The safe harbour agreement has been the subject of controversy for many years. After the Snowden revelations – which Litt avoided mentioning in his op-ed – the European Parliament called for it to be suspended.
However, the EU executive, the European Commission, was reluctant to do so and instead pinned its hopes on renegotiating the terms of the arrangement.
The agreement was set up 16 years ago to allow businesses to transfer EU personal data to US jurisdiction, despite the US not having sufficient privacy laws to qualify for EU adequacy.
Business between the EU and US could potentially grind to a standstill if data cannot be transferred, as more than 4,400 companies – including Facebook, Apple, Google, Yahoo, Skype and Microsoft – rely on it.
There are rumours that the European Commission will convene a special emergency meeting after the ruling tomorrow and a press briefing has been scheduled with not one, but two Commissioners – President Juncker’s number two, veep Frans Timmermans, and Justice Commissioner Vera Jourova – in the afternoon.
Meanwhile, a German data protection regulator is getting the kicks in against the Irish DPC for its “blind trust” in safe harbour. Marit Hansen, Schleswig-Holstein data protection commissioner, said her Irish counterpart had helped Facebook maintain the “illusion” that Safe Harbor protected EU citizens’ privacy rights. ®