In a decision that affects worldwide data flows, the European Union Court of Justice has ruled that the EU-U.S. Safe Harbor framework that allows for the transfer of data from EU countries to non-EU countries is invalid because the U.S. cannot adequately protect its privacy.

Two weeks ago, a senior European Union legal official advised the EU court that the U.S. cannot ensure adequate privacy protections of a European Facebook subscriber's information transferred to U.S. servers, citing mass U.S. government (NSA) surveillance revealed by leaker Edward Snowden and saying that the 2000 safe harbor agreement between the EU and the U.S. was invalid.

The Court of Justice agreed.

"[T[he United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way

incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security," the court ruled. "Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased."

The European Commission is currently negotiating with the U.S. on some of the safe harbor's "shortcomings."

"The Safe Harbor agreement has been the cornerstone of the transatlantic digital economy since before global companies like Facebook were founded," said Daniel Castro, VP at the Information Technology & Innovation Foundation. "In the wake of the Snowden disclosures, European citizens and policymakers are understandably concerned about privacy safeguards in U.S. law. But abruptly revoking the Safe Harbor agreement was the wrong way to address those concerns. It will disrupt not just the thousands of U.S. and European companies that currently depend on the Safe Harbor to do business across the Atlantic, but also the broader digital economy. Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to transatlantic digital commerce. Policymakers in the United States and EU should work together swiftly to implement an interim agreement so that we do not shut down transatlantic digital commerce overnight."

The Computer & Communications Industry Association, which said its members depend on "predictable rules for cross border data flows," was also clearly concerned.

“The ruling creates uncertainty for the European and International companies that rely on Safe Harbor for their commercial data transfers, most of which are small and medium-sized enterprises," said CCIA Europe Director Christian Borggreen. "We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most.”

“We urge the European Commission to immediately issue guidance to companies that depend on Safe Harbor for their commercial data flows," he said.

And as for coming up with a new safe harbor agreement: "We encourage EU and U.S. negotiators to quickly present a new, safer Safe Harbor framework to ensure predictable rules to the benefit of European consumers and companies, addressing the concerns of the court.”

Consumer Groups essentially said "good riddance" to the agreement and argued that it was a signal the U.S. needs to pass privacy legislation.

The TransAtlantic Consumer Dialog (TACD), whose members include the Center for Digital Democracy, said in a statement that its members "strongly welcome" the court's decision. "We, and our members, have repeatedly pointed out that the Safe Harbour agreement is not an effective way to protect the privacy and rights of Europeans," the group said in a statement. "Safe Harbor, agreed between the US and the EU in 2000, is a poorly enforced voluntary system based on companies’ self-certification to the U.S. Department of Commerce that they protect EU consumer data.  But the program has been widely criticized by experts and advocates across the Atlantic."

"It is also more than high time for the United States to enact a comprehensive set of data protection rules, to bring it in line with 100 plus other countries round the world," they said. "In the absence of legislation, the U.S. cannot offer the EU any assurance that there will be adequate protection for the personal data stored or used by US companies."

Harriet Pearson, a partner in global law firm Hogan Lovells’ Cybersecurity practice, said the court's decision was an "unwelcome development" but not the end of the world, particularly given the EU-U.S. negotiation on a next-gen safe harbor.

In a decision that could affect the flow of data from Europe to the U.S.,  a senior  European Union legal official has advised the EU's Court of Justice that the U.S. cannot ensure adequate privacy protections of European Facebook subs' information transferred to U.S. servers due to mass government surveillance and that a 2000 safe harbor agreement that suggested the U.S. did provide that adequate security is invalid.

Advocate General Yves Bot was providing guidance to the court, which had asked whether that safe harbor agreement precluded  investigating a complaint that, in light of the Edward Snowden revelations about NSA surveillance activities, the U.S. offered no real protections, the safe harbor agreement notwithstanding.

AG Bot said that it was clear that "the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection."

In addition, Bot said that "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data," and that EU citizens'  inability to be heard in the U.S. about their concerns over surveillance interferes with their right to an effective remedy to surveillance that is "Mass" and "indiscriminate."

The European Commission is currently negotiating with the U.S. on some of the safe harbors "shortcomings," Bot concedes, but says the EC should have suspended that safe harbor decision since by the very fact of negotiating new protections it was conceding the 2000 decision was no longer "adapted to the reality of the situation."

Bot's opinion is not binding on the Court of Justice.

Jeff Chester, executive director of the Center for Digital Democracy, called the decision "a powerful rebuke against the way U.S. data companies gather information from the EU; raises the legality of the so-called data exchange agreement between the U.S. and EU (Safe Harbor) and sets stage for a court ruling that could overturn that agreement."

“The Advocate General’s opinion puts the nail in the coffin of Safe Harbor," said European consumer group BEUC. "This agreement fails to protect European’s personal data. We hope the European Court of Justice will follow this line and stop the mass-circumvention of EU data protection rules. We welcome the Advocate General’s point of view that national data protection authorities have the responsibility to investigate infringements committed by foreign companies under Safe Harbor. The European Commission, which is currently renegotiating Safe Harbor, received today a clear message that the transfer of European citizens’ data cannot be based on self-assessment by U.S. companies.

Senate Saturday  failed to pass either the USA Freedom Act (http://www.broadcastingcable.com/news/washington/white-house-senate-dont...)or a short-term renewal of Sec. 215 bulk data collection authority under the PATRIOT Act, which expires June 1.

USA Freedom is a bipartisan House-passed bill that would end indiscriminate bulk metada collection by the NSA, which was brought to light through leaks by NSA contractor Edward Snowden. The bill would not end bulk collection, but would have narrowed it and provided for more transparency.

The alternative was a straight, two-month extension of the PATRIOIT Act authorities while Congress continued to debate the issue, but that failed as well.

The Senate has exited for the Memorial Day break, but is scheduled to return early (on Sunday, May 31) to deal with the USA Freedom Act and perhaps get an up or down vote.

The Information Technology Industry Council (ITI), which represents computer and tech companies including Google, Microsoft, Apple and Panasonic, was not pleased with Congress' inaction.

“We are incredibly disappointed in the Senate’s failure to pass the USA Freedom Act," said ITI President Dean Garfield. "This morning’s (May 23) vote was a missed opportunity to bring certainty and clarity to our nation’s surveillance laws.  We have said from the beginning that Congressional action is needed to restore trust here at home and globally in our government and the technology sector.  The USA Freedom Act would have effectively ended indiscriminate bulk collection of data and bring much needed transparency to the process by allowing tech companies to report information about the government orders they receive for access to data. 

“Unfortunately, now, the path forward is shaky and uncertain. We call on Congress to remain committed to finish the necessary steps to ensure that surveillance authorities appropriately protect peoples’ privacy and civil liberties while enabling a lawful and legitimate access to data by the government.”

Kevin Bankston, policy director of New America’s Open Technology Institute, called it a "shocking insult to the democratic process, and to the American people who have been demanding reform for two years, that the Senate’s leaders have ignored the White House, federal judges, and an overwhelming majority of the House of Representatives by blocking the USA Freedom Act."

Privacy advocates who argued USA Freedom provided insufficient protections and who also opposed the short-term PATRIOT Act reauthorization, or any reauthorization for that matter, were celebrating the bills' failure.

“These bills were an attempt to disregard the abuses revealed by Snowden and cement mass surveillance into law in defiance of the Constitution, the courts, and public sentiment,” said Jeff Lyon, CTO of Fight for the Future, in a statement, “The failure of these bills to pass shows just how dramatically the politics of surveillance changed once the extent of the government’s surveillance programs became known to the public.”