National Journal

This article is from the archive of our partner National Journal

The international fallout over Edward Snowden’s leaks about U.S. surveillance operations continued Tuesday, as the top European court ruled that the National Security Agency is violating the privacy rights of millions of Europeans.

Although the decision by the European Court of Justice is likely to do little to actually curb NSA spying, it could become a major headache for thousands of companies on both sides of the Atlantic.

The court scrapped a “safe harbor” agreement between the United States and the European Union that allowed companies like Google, Facebook, and Amazon to freely store Europeans’ data on U.S. servers. The court held that, because of the NSA’s “mass and undifferentiated” surveillance, the United States lacks the adequate privacy protection required by EU law.

“Permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” the judges wrote. The Court of Justice is Europe’s highest court, and its opinion cannot be appealed.

The ruling could empower each EU nation’s individual privacy regulator to investigate company data practices. Although tech companies have been watching the ruling especially closely, it could also affect any businesses that send customer records or human-resources information to the United States. “It’s a sad day for European privacy and a sad day for businesses on both sides of the Atlantic,” said Brian Hengesbaugh, a partner with the law firm Baker & McKenzie, who represents businesses in a variety of industries. “There will be a tremendous amount of upheaval.”

Companies could avoid a regulatory crackdown by adding language to their user agreements or by setting up internal company contracts. But compliance could be especially bewildering for small companies that lack teams of lawyers to interpret the decision.

Privacy advocates, who have long accused the United States of lagging behind Europe on privacy protection, celebrated the ruling. “Safe-harbor was designed to enable U.S. data companies to engage in pervasive commercial surveillance in the EU,” said Jeff Chester, the executive director of the Center for Digital Democracy, a U.S. privacy group. “The end of the current safe-harbor regime will be a major global victory for privacy.”

Because of the backlash to the Snowden leaks, the United States and EU had already begun renegotiating the details of the safe-harbor framework. Tuesday’s ruling adds pressure to reach a new deal quickly, although talks have reportedly been stalled over how much access U.S. intelligence agencies should have to European data.

“Since 2000, the Safe Harbor Framework has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU,” U.S. Commerce Secretary Penny Pritzker said in a statement. “We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”

She promised to work with European negotiators to update the safe harbor framework “as soon as possible.”

The case was brought by Max Schrems, an Austrian graduate student, who accused Facebook of violating his rights by cooperating with the NSA. “This decision is a major blow for U.S. global surveillance that heavily relies on private partners,” Schrems said in a statement. “The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights.”

Edward Snowden tweeted his support for Schrems Tuesday, saying the activist had "changed the world for the better" and that the safe-harbor agreement was "routinely abused for surveillance." 

In a statement, Facebook emphasized that it was only complying with U.S. law. “This case is not about Facebook,” the Internet giant said. “It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”

—This article has been updated. 

This article is from the archive of our partner National Journal.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.