IMAGE DISTRIBUTED FOR THE NEW YORKER - Edward Snowden talks with Jane Mayer via satellite at the 15th Annual New Yorker Festival on Saturday, Oct. 11, 2014 in New York.

IMAGE DISTRIBUTED FOR THE NEW YORKER - Edward Snowden talks with Jane Mayer via satellite at the 15th Annual New Yorker Festival on Saturday, Oct. 11, 2014 in New York. Christopher Lane/AP Images for The New Yorker

NSA Spying Violates Privacy Rights, EU Court Rules

The decision likely won’t curb the surveillance, but could mean headaches for thou­sands of com­pan­ies.

The in­ter­na­tion­al fal­lout over Ed­ward Snowden’s leaks about U.S. sur­veil­lance op­er­a­tions con­tin­ued Tues­day, as the top European court ruled that the Na­tion­al Se­cur­ity Agency is vi­ol­at­ing the pri­vacy rights of mil­lions of Europeans.

Al­though the de­cision by the European Court of Justice is likely to do little to ac­tu­ally curb NSA spy­ing, it could be­come a ma­jor head­ache for thou­sands of com­pan­ies on both sides of the At­lantic.

The court scrapped a “safe har­bor” agree­ment between the United States and the European Uni­on that al­lowed com­pan­ies like Google, Face­book, and Amazon to freely store Europeans’ data on U.S. serv­ers. The court held that, be­cause of the NSA’s “mass and un­dif­fer­en­ti­ated” sur­veil­lance, the United States lacks the ad­equate pri­vacy pro­tec­tion re­quired by EU law.

“Per­mit­ting the pub­lic au­thor­it­ies to have ac­cess on a gen­er­al­ised basis to the con­tent of elec­tron­ic com­mu­nic­a­tions must be re­garded as com­prom­ising the es­sence of the fun­da­ment­al right to re­spect for private life,” the judges wrote. The Court of Justice is Europe’s highest court, and its opin­ion can­not be ap­pealed.

The rul­ing could em­power each EU na­tion’s in­di­vidu­al pri­vacy reg­u­lat­or to in­vest­ig­ate com­pany data prac­tices. Al­though tech com­pan­ies have been watch­ing the rul­ing es­pe­cially closely, it could also af­fect any busi­nesses that send cus­tom­er re­cords or hu­man-re­sources in­form­a­tion to the United States. “It’s a sad day for European pri­vacy and a sad day for busi­nesses on both sides of the At­lantic,” said Bri­an Henges­baugh, a part­ner with the law firm Baker & McK­en­zie, who rep­res­ents busi­nesses in a vari­ety of in­dus­tries. “There will be a tre­mend­ous amount of up­heav­al.”

Com­pan­ies could avoid a reg­u­lat­ory crack­down by adding lan­guage to their user agree­ments or by set­ting up in­tern­al com­pany con­tracts. But com­pli­ance could be es­pe­cially be­wil­der­ing for small com­pan­ies that lack teams of law­yers to in­ter­pret the de­cision.

Pri­vacy ad­voc­ates, who have long ac­cused the United States of lag­ging be­hind Europe on pri­vacy pro­tec­tion, cel­eb­rated the rul­ing. “Safe-har­bor was de­signed to en­able U.S. data com­pan­ies to en­gage in per­vas­ive com­mer­cial sur­veil­lance in the EU,” said Jeff Chester, the ex­ec­ut­ive dir­ect­or of the Cen­ter for Di­git­al Demo­cracy, a U.S. pri­vacy group. “The end of the cur­rent  safe-har­bor re­gime will be a ma­jor glob­al vic­tory for pri­vacy.”

Com­pan­ies and the U.S. gov­ern­ment have been bra­cing for this de­cision since the court’s top ad­viser re­com­men­ded throw­ing out the data agree­ment two weeks ago. The U.S. gov­ern­ment wasn’t a party to the case, but of­fi­cials in re­cent days have claimed the law­suit was based on mis­per­cep­tions about the NSA’s pro­grams. “The United States does not and has not en­gaged in in­dis­crim­in­ate sur­veil­lance of any­one, in­clud­ing or­din­ary European cit­izens,” the U.S. Mis­sion to the European Uni­on said in a state­ment last week. The NSA’s In­ter­net sur­veil­lance pro­gram, the U.S. Mis­sion said, “is in fact tar­geted against par­tic­u­lar val­id for­eign in­tel­li­gence tar­gets, is duly au­thor­ized by law, and strictly com­plies with a num­ber of pub­licly dis­closed con­trols and lim­it­a­tions.”

Be­cause of the back­lash to the Snowden leaks, the United States and EU had already be­gun rene­go­ti­at­ing the de­tails of the safe-har­bor frame­work. Tues­day’s rul­ing adds pres­sure to reach a new deal quickly, al­though talks have re­portedly been stalled over how much ac­cess U.S. in­tel­li­gence agen­cies should have to European data.

The case was brought by Max Schrems, an Aus­tri­an gradu­ate stu­dent, who ac­cused Face­book of vi­ol­at­ing his rights by co­oper­at­ing with the NSA. “This de­cision is a ma­jor blow for U.S. glob­al sur­veil­lance that heav­ily re­lies on private part­ners,” Schrems said in a state­ment. “The judg­ment makes it clear that U.S. busi­nesses can­not simply aid U.S. es­pi­on­age ef­forts in vi­ol­a­tion of European fun­da­ment­al rights.”

Ed­ward Snowden tweeted his sup­port for Schrems Tues­day, say­ing the act­iv­ist had “changed the world for the bet­ter” and that the safe-har­bor agree­ment was “routinely ab­used for sur­veil­lance.” 

In a state­ment, Face­book em­phas­ized that it was only com­ply­ing with U.S. law. “This case is not about Face­book,” the In­ter­net gi­ant said. “It is im­per­at­ive that EU and U.S. gov­ern­ments en­sure that they con­tin­ue to provide re­li­able meth­ods for law­ful data trans­fers and re­solve any is­sues re­lat­ing to na­tion­al se­cur­ity.”

This art­icle has been up­dated.