EU Court Advocate General Deals Severe Blow to NSA Surveillance

A legal case, virtually unreported in the U.S., could very well unhinge a major component of this country’s surveillance system. In any case, it certainly challenges it.

Yves Bot, he Advocate General of the European Court of Justice (the European Union’s litigation arena) just published an “opinion” that the privacy and data sharing arrangements between the EU’s 28 countries and the United States are “invalid”, must be revised and cannot now be used to regulate data transfer.

This is to surveillance what an earthquake would be to a city: it wouldn’t halt surveillance but it would destroy one of its major components. While the EU court’s 15 justices have yet to issue their ruling on the opinion, they seldom deviate very much from their AG’s advice and, given that they published his opinion and circulated it to the media, it’s a good bet they are going to approve something close to it. They’ll make that ruling later this year.

But the opinion alone is undoubtedly sending shudders through the halls of the NSA which gets all kinds of data from cooperating big-data companies (like Facebook and Google) and steals data from the ones that don’t cooperate through a program called PRISM.

That’s where one must start in understanding this: PRISM, a highly sophisticated data capture program used by the NSA to steal data from servers in this country and overseas. It’s the most comprehensive spy program in U.S. history and much of its activity involves servers in other countries because that’s where much of the data the NSA wants is stored.

With the advent of the cloud storage programs, your data is “distributed. For instance, an email you send is cut up into little pieces stored in various servers throughout the world. This makes for a more efficient use of storage space. When you ask for your data, the servers cooperate in putting it together and sending it to you. PRISM takes the data as soon as its together, often from a European server right before it is sent out or brought in.

For many years, PRISM was clandestine until whistle-blower Edward Snowden told the world about it.

Enter Maximillian Schrems. An Austrian activist, Schrems has been a Facebook user for many years and, like most activists, he was deeply concerned about Facebook’s policy of transferring his data to the U.S. whenever U.S. Facebook wanted. His logic: Facebook is subject to PRISM data capture and his data would end up with the NSA.

So he sued, targeting Facebook whose European headquarters are in Ireland.

Ireland wouldn’t hear the case; they sent it to the EU’s court where U.S. litigators sniffed at Schrems’ case. If all the data belongs to Facebook, they argued, certainly Facebook can move data wherever if wants. But, argued Schrems’ lawyers, there are actually data laws in various countries preventing that action because several of the EU’s member have strict privacy-protecting and data-collection restriction laws. The U.S. doesn’t.

The simple fact is that it’s much easier for the NSA to get your data from the Internet in the U.S. than it would be in, say, France or Germany. In Europe, companies must be certified as “safe” by the country’s government and must prove they have put into place a series of security and privacy measures. In the United States, the companies “self-certify” by issuing a document detailing what they have in place that can be viewed by users. Nobody checks to see if any of that is true.

So, if you want to give data to the government, move it to the U.S. The AG’s opinion stops that.

In that opinion, Bot cites two concerns:

That the U.S. government has failed to take the appropriate steps Europe has to protect privacy. This is the first incidence of the conflict between the United States and its allied continent many experts have been predicting. Europe has taken steps to protect rights that the U.S. has refused to take.

Also, the fact that U.S. companies can “self-certify” gives them “an enormous advantage” in functioning.

Bot carefully, and diplomatically, avoids the main issue and the main impact but plaintiff Schrems was clear about that:

“This could be a major issue for Apple, Facebook, Google, Microsoft or Yahoo,” he said. “All of them operate data centres in Europe, but may need to fundamentally restructure their data storage architecture and maybe even their corporate structure.”

In other words, if a company is going to give its data to the NSA, it can’t operate cloud storage as it used to because part of the cloud is in a country that doesn’t allow companies to give up data so easily.

The court’s final decision, which all should be watching for, may prove monumental.

Alfredo Lopez writes about technology issues for This Can’t Be Happening!