A major European court ruling regarding electronic privacy this week has the potential to shake up trans-Atlantic commerce and maybe impact the privacy debates in the United States over government snooping, analysts say.
On Tuesday, the European Union’s highest court struck down a controversial directive that encouraged telecommunication and mobile phone companies to retain users’ private data records for up to two years.
The EU’s European Court of Justice invalidated the 2006 EU Data Retention Directive on privacy grounds, noting in its opinion that “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”
The Court seemed particularly concerned by the directive’s breadth of data collection.
“The directive covers, in a generalized manner, all individuals, all means of electronic
communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime,” according to an ECJ press release.
“This really was the first time the EU court in Luxemburg was asked about its interpretation of privacy since the adoption of the EU Charter of Fundamental Rights in 2009,” he said.
While EU member nations could now begin debating electronic surveillance programs specific to their borders, the court’s firm rejection of the 2006 directive means that any new programs could also be challenged in court.
“Mandated government surveillance,” Arnbak said, “strikes at the heart of democracy.”
Impact in the US
The ruling leaves new questions in its wake. Among them, what conflicting EU and U.S. laws on data collections will mean for commerce, and concerns for the future of President Barack Obama’s proposed NSA reforms on surveillance and data collection.
“Law is culture,” said Bennet Kelley, founder of the Los Angeles-basedInternet Law Center. “What you do in law speaks about who you are as a people. The EU has a different viewpoint about privacy…than the U.S..”
Data commerce across the Atlantic, said Kelley, is governed by something called the “European Safe Harbor.”
Before any data can leave an EU member nation, U.S. telecommunications firms must certify they follow privacy policies and programs similar to the more stringent EU protections, creating a “safe harbor” for data privacy.
However, Kelley said, regulators on both sides of the Atlantic have long known that many U.S. safe harbor certifications are actually false, creating a serious potential problem for U.S. companies doing business in the EU.
This week’s court ruling, he said, will only make commerce more difficult.
“Even before Snowden, there were concerns about the EU Safe Harbor,” Kelley said.
“There’s already skepticism in Europe because of that, and then you throw in Snowden, it creates more distrust. Having one more element of differentiation between the U.S. and EU is just not helpful.”
The ruling also comes just a few weeks after President Obama proposedallowing U.S. telecommunications companies to engage in exactly the sort of data collection the ECJ just rejected.
As part of his overhaul of U.S. electronic surveillance efforts, President Obama wants to remove what’s known as the “bulk metadata collection program” from the NSA and make mobile phone and data companies responsible for electronic record-keeping.
“Now it seems like it’d be a hard ask,” Kelley said.
Researcher Axel Arnbak agreed.
“Not only its courts, but the EU Parliament and Commission have quite strongly responded to the Snowden revelations and this data retention ruling,” Ambak said. “Those in the U.S. that seek to preserve privacy and freedom in the digital age have an extra tool in their kit.”
The U.S. Supreme Court this week declined to hear a challenge to the NSA bulk metadata collection program.