There is no Safe Harbour from U.S. Authorities
Privacy is a human right, and needs very clear legal protections. 'Safe Harbor' was clear as mud and placed privacy rights globally at risk.
Today's European Court of Justice decision should be no surprise for industry or governments. For over fifteen years the U.S. Government has resisted implementing basic and effective privacy law and created absurd stopgap measures because U.S. Congress is incapable of acting upon what consumers and citizens have long asked for. The fact over 100 countries across the world have implemented meaningful protections means that the U.S. Government is in the dark ages of protecting data.
Europe, to date, has bent over backwards to meet this ridiculous situation. The European Court of Justice finally stated what everyone knew all along: this is legally unacceptable, and even fails the essence of the rule of law.
The sky isn't falling upon U.S. industry because of this court decision. If indeed the sky is falling, it began fifteen years ago when industry and the Clinton administration conspired to do nothing to protect people, and then industry lobbied extensively to ensure they could mine away. The Court made clear today that the secret surveillance programmes that were then implemented made this situation even more untenable.
At the heart of this problem is that U.S. law discriminates between Americans and non-Americans. There are legal limits, though incredibly weak, on what the U.S. Government can do to U.S. persons but any non-American is fair game. There are no clear meaningful legal restrictions, and no right of redress for non-Americans. This legal black hole must come to an end.
Edward Snowden's revelations show that the U.S. cannot expect to continue to be the custodian of the world's information unless it strengthens its laws to protect our data. Americans deserve stronger protections, and so does everyone who transacts with American companies. Any modern economy must properly protect people's data. There is no surprise therefore that many individual U.S. states have taken important steps towards essential protections. Now it is time for the U.S. Government to go to work.
First, the U.S. must now create a comprehensive privacy law. That law has to effectively regulate both government and industry. That law should protect the data of all people, regardless of nationality. Second, it can ratify the Council of Europe Convention 108 on data protection, in accordance with demands from consumer protection groups across the U.S., and it would go some way to proving that the new law meets global standards to enable data flows. Good privacy and data protection laws are an economic driver, and encourage personal information transfers between countries.
Significantly, this decision puts the onus on the U.S. Government to further reform the laws regulating surveillance. The Court significantly found that access on a generalised basis to the content of communications by U.S. authorities compromises the essence of the fundamental right to privacy.
In the meantime, the data may continue to flow to U.S. companies under model contracts that strictly govern how data is processed but the data will remain at risk of access by the U.S. authorities. This court decision puts an end to the pretense created by the European Commission of the transfer being under a legal regime that is somehow 'safe'. Safe Harbour's illusion, that created a pool of data that was then accessible by U.S. agencies with little restraint in law, is at long last, no more.