At a time when U.S. GDP is expected to drop by levels not seen since the Great Depression, U.S. government surveillance practices are landing another blow to large and small businesses alike.
On Thursday, in a ruling with enormous implications for U.S. companies, the E.U.’s highest court invalidated a data-transfer agreement between the European Union and the United States, known as “Privacy Shield.”
The demise of Privacy Shield is directly attributable to the breadth of U.S. government surveillance, which ensnares the data of countless Europeans in a spying apparatus that is fundamentally at odds with E.U. privacy law. For the more than 5,000 U.S. businesses across the country that rely on Privacy Shield for transatlantic data transfers, the E.U. court’s ruling is a serious problem. But there’s a straightforward way out of this dilemma: comprehensive U.S. surveillance reform.
The case before the E.U. Court of Justice, known as Schrems II, presented two key issues: first, whether the scope of U.S. surveillance means that the United States fails to “adequately” protect the privacy rights of Europeans; and second, whether U.S. remedies for unlawful surveillance are inadequate under E.U. law. The court’s answer to both questions was yes.
Notably, this isn’t the first time that the E.U. Court of Justice has raised concerns about U.S. surveillance.
Under European law, companies have long faced restrictions on transferring large volumes of personal data—that is, data capable of identifying individuals—to countries with weaker privacy rules. To address these restrictions, in the 1990s, the European Union and the United States negotiated an agreement known as “Safe Harbor.” The agreement allowed companies doing business in the European Union to transfer data to the United States, based on the theory that the United States ensures an adequate level of protection for that information.
But in 2013, Edward Snowden’s revelations about warrantless NSA surveillance starkly put the lie to that theory. In response, an Austrian lawyer and privacy activist, Max Schrems, brought a suit against Facebook Ireland. He argued that its reliance on Safe Harbor to transfer data to the United States was unlawful, given the scope of NSA spying. The case made its way to the E.U. Court of Justice, and in 2015, the court invalidated Safe Harbor, based largely on its concerns about the breadth of U.S. government surveillance.
After that ruling, the United States and European Union rushed to negotiate a new agreement, called Privacy Shield—ignoring warnings from civil rights groups like the American Civil Liberties Union that reforms to U.S. surveillance law would be necessary to ensure compliance with E.U. privacy law. The court validated those warnings today, holding that the new agreement fails to protect personal data from the underlying problem: the scope of U.S. surveillance, and the lack of adequate remedies.
As I explained in expert testimony in the Schrems II case, when people’s data is transferred from Europe, it’s vulnerable to warrantless mass surveillance by the U.S. government under two broad spying authorities: Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12,333.
Under Section 702, the United States claims the power to target virtually any European to acquire “foreign intelligence,” broadly defined. It pulls information directly from American tech firms, and it collects communications as they’re in transit on the Internet. In addition, under Executive Order 12,333, the government collects enormous volumes of private data in bulk outside of the United States. And there are few (if any) effective remedies for this surveillance, largely because the U.S. government almost never notifies the people subjected to this spying. Without notice, it’s extremely difficult to challenge surveillance in U.S. court.
The E.U. court today also held that European Data Authorities must halt data flows under a second data-transfer mechanism, known as “Standard Contractual Clauses,” to countries that fail to ensure an appropriate level of privacy protections. Based on the court’s analysis, it’s clear that U.S. law will fail that test.
To be clear, the E.U. court’s ruling today will not “break the Internet.” Companies in Europe will still be able to execute individual data transmissions where, for example, users explicitly consent to the transfer of their data. But what today’s ruling does do is radically alter the landscape for large-scale data flows. Companies that relied solely on Privacy Shield are left in the lurch. For companies relying on Standard Contractual Clauses, it will be exceedingly difficult, if not impossible, to outsource significant volumes of data to U.S. tech companies for processing or for backup purposes once Data Protection Authorities act.
U.S. surveillance has become a financial liability for U.S. companies trying to compete in a global market. The only solution to these problems is comprehensive surveillance reform, not another slap-dash attempt to paper over the fundamental problems with U.S. law.
Congress must act now to rein in the NSA’s warrantless spying, and to ensure that individuals have a meaningful opportunity to challenge the government’s surveillance.
Ashley Gorski is a Senior Staff Attorney for the American Civil Liberties Union (ACLU)