Ruling shows Europe still vexed over NSA spying, leaving U.S. companies in legal limbo

Schrems’ case eventually reached Europe’s highest court, which did not mince words. The NSA’s wide-ranging surveillance of Europeans’ personal data, it wrote, was threatening “the fundamental right to respect for private life.” The court effectively threw out the Safe Harbor agreement, telling privacy regulators in each member country to figure out if US companies were complying with European law.

Culture clash, part I: the fight over privacy
The court’s decision rests on a completely different vision of privacy from that of the United States. In Europe, privacy is a fundamental right, trumping even free speech. In the United States, not so much. We mostly believe what one tech CEO said back in the 1990s: “You have zero privacy anyway. Get over it.”

As I have previously written, United States law often confuses privacy with secrecy. Even in regular criminal investigations, once private information is shared with anyone, it is no longer protected by the Fourth Amendment right to be secure from unreasonable searches and seizures. So law enforcement can examine your phone records and bank statements without a warrant because you haven’t kept this information completely secret – you’ve shared it with a third party, either the phone company or the bank.

In Europe, if information is personal to you, you have the right to decide how it can be used, even if it has already been collected by Google or Facebook. Just last year, the European court upheld a “right to be forgotten” powerful enough to force search engines to take down links leading to inaccurate or outdated information.

Culture clash, part II: the fight over surveillance
Under Section 702 of the Foreign Intelligence Surveillance Act, the U.S. government can collect the contents of electronic communications, including telephone calls and emails, where the target is reasonably believed to be a non-U.S. person located outside the United States.

Even though these online communications are not technically collected in bulk, hundreds of millions of transactions are intercepted, either through demands made to internet service providers through the Prism program, or through so-called upstream collection, where information is siphoned from the internet’s telecommunications “backbone” over which data travels.

Europe’s concept of individual dignity and privacy cannot happily co-exist with an NSA intelligence-gathering operation on this scale. But which side will give in?

Google and Facebook have warned that NSA surveillance practices could end up breaking the internet if they’re not reformed. The result would be different countries walling off their networks, a trade and innovation disaster.

On the other hand, the European approach might be at odds with the borderless architecture of the internet. As one leading security expert put it, “surveillance is the business model of the internet. We build systems that spy on people in exchange for services. Corporations call it marketing.”

So what happens next?
Ah. I was afraid you might ask that.

Large businesses are operating as usual, only with armies of lawyers behind the scenes redrafting contracts and figuring out next moves. Some are speeding up plans to build European data-storage facilities, even though it’s not clear that geographical siloing of data will really protect against NSA surveillance. The situation is even more daunting for smaller companies, which represent 60 percent of the users of Safe Harbor. Data service and storage companies working for U.S. multinationals risk being replaced by European companies if data can’t be transferred.

The European Commission has promised new guidance soon, but negotiations between Europe and the United States for a new data transfer pact have been dragging on for two years. Worse, any agreement will have to address the fundamental incompatibility between European and American laws. If U.S. companies pledge to keep data safe, they could find themselves in violation of NSA demands for “compelled assistance,” potentially exposing them to fines as high as $250,000 a day. But if U.S. companies comply with NSA requests for user data, they might be violating Europe’s privacy laws and face fines from their European hosts. So what’s a company to do?

For now, the U.S. Department of Commerce is “continuing to administer the Safe Harbor program, including processing submissions for self-certification.” It does add, however, that companies might want to call a lawyer.

One thing is certain. It’s going to be a legal fees bonanza.

Caren Morrison is Associate Professor of Law, Georgia State University. This article is published courtesy of The Conversation (under Creative Commons-Attribution/No derivative).