European Court Opinion Threatens NSA Spying Overseas

BER­LIN—A land­mark agree­ment on data-shar­ing between the United States and Europe is “in­val­id,” an ad­viser to a top European court said Wed­nes­day, in a de­cision that could lay the ground­work for lim­it­a­tions on the Na­tion­al Se­cur­ity Agency’s glob­al In­ter­net spy­ing prac­tices.

The NSA’s use of a trans-At­lantic “safe-har­bor” agree­ment forged in 2000 to com­pel com­pan­ies like Face­book to share per­son­al data on European cit­izens demon­strates a lack of ad­equate pri­vacy pro­tec­tions un­der­gird­ing the pact, said Yves Bot, the ad­voc­ate gen­er­al for the European Court of Justice, in a non­bind­ing but po­ten­tially in­flu­en­tial leg­al opin­ion.

“The law and prac­tice of the United States al­low the large-scale col­lec­tion of the per­son­al data of cit­izens of the EU … without those cit­izens be­ne­fit­ing from ef­fect­ive ju­di­cial pro­tec­tion,” Bot wrote.

Bot also said that the level of ac­cess gran­ted to the NSA on trans­ferred data con­sti­tuted an in­ter­fer­ence with the Charter of Fun­da­ment­al Rights of the European Uni­on, which prom­ises a right to pro­tect per­son­al data. The ad­voc­ate gen­er­al also said European data-pro­tec­tion au­thor­it­ies could sus­pend trans­fers of data to oth­er coun­tries on grounds of pro­tect­ing pri­vacy.

The case was brought by Max Schrems, an Aus­tri­an law stu­dent, who ini­ti­ated a chal­lenge ori­gin­ally against Face­book on how the com­pany can share data across bor­ders after the 2013 Ed­ward Snowden rev­el­a­tions re­vealed the scope of U.S. in­tel­li­gence-gath­er­ing of In­ter­net data through a pro­gram called PRISM. Schrems ar­gued that he was offered no pro­tec­tion as a European cit­izen from hav­ing his Face­book data spied on be­cause it was trans­ferred from serv­ers in Ire­land to serv­ers in the United States, as per the safe-har­bor agree­ment.

The opin­ion, if ac­cep­ted, has the po­ten­tial not only to hamper how thou­sands of com­pan­ies trans­fer data over­seas but could also re­strict the NSA’s abil­ity to scoop up massive amounts of In­ter­net data on European cit­izens.

“This find­ing, if con­firmed by the court, would be a ma­jor step in lim­it­ing the leg­al op­tions for U.S. au­thor­it­ies to con­duct mass sur­veil­lance on data held by EU com­pan­ies, in­clud­ing EU sub­si­di­ar­ies of U.S. com­pan­ies,” Schrems said in a state­ment fol­low­ing the opin­ion’s re­lease.

Wed­nes­day’s opin­ion es­sen­tially car­ries no leg­al force, but the ad­voc­ate gen­er­al is rarely over­ruled. Des­pite the lack of im­me­di­ate ef­fect, pri­vacy ad­voc­ates quickly cheered the de­cision, in­dic­at­ing it rep­res­en­ted yet an­oth­er groundswell of op­pos­i­tion to NSA sur­veil­lance.

“This case re­in­forces the ur­gent need for sur­veil­lance re­form glob­ally,” said Es­telle Massé, a Brus­sels-based policy ana­lyst for the di­git­al-rights group Ac­cess. “The U.S. law that au­thor­izes the PRISM pro­gram in­ad­equately pro­tects the rights of users, par­tic­u­larly users out­side the United States, and it is im­per­at­ive that the U.S. hon­or its hu­man-rights ob­lig­a­tions and dis­con­tin­ue this type of sur­veil­lance.”

If the case yields a bind­ing de­cision, it will amount to an­oth­er di­git­al-pri­vacy win in Europe, where many view Sil­ic­on Val­ley dom­in­ance with skep­ti­cism. Data trans­fers have been a thorny top­ic between the two con­tin­ents since the Snowden rev­el­a­tions, but Amer­ic­an and European of­fi­cials did fi­nal­ize a long-awaited data-pro­tec­tion deal earli­er this month that would of­fer more pro­tec­tions on how per­son­al in­form­a­tion is pro­tec­ted when shared across the At­lantic by law en­force­ment.

Many com­pan­ies have long re­lied on the safe-har­bor agree­ment to con­duct busi­ness and share data across a glob­al­ized In­ter­net. Upend­ing the data-trans­fer rules could lim­it the trans-At­lantic flow of in­form­a­tion and force com­pan­ies to de­vel­op more data hubs in Europe.

PRISM’s ex­ist­ence was re­vealed in June 2013 as one of the first pro­grams ex­posed via the Snowden archive. The sur­veil­lance pro­gram is used by the NSA to se­cure wide-ran­ging data col­lec­tion from the serv­ers of nine pop­u­lar In­ter­net com­pan­ies, in­clud­ing Google, Mi­crosoft, Ya­hoo, and Face­book. It is gov­erned un­der Sec­tion 702 of the For­eign In­tel­li­gence Sur­veil­lance Act, a pro­vi­sion that will ex­pire in 2017 ab­sent con­gres­sion­al ac­tion.