U.S. law gives the National Security Agency a green light to collect a staggering amount of personal data from phone and Internet users around the world, most of whom aren't even remotely connected to terrorists. On Tuesday, however, a European court said the NSA's shotgun approach to surveillance violated Europeans' privacy rights. And because the European Court of Justice has no jurisdiction over the NSA, it took out its displeasure on the Internet.
Specifically, the European Court of Justice struck down the "safe harbor" arrangement that allowed Internet companies based in America to store European users' data on servers in the United States. That agreement enabled Facebook, for example, to store the profiles of its Spanish and Italian users on the same facilities it uses for customers in New York. In addition to supporting the free flow of information online, safe harbor promotes competition and innovation because it lets new entrants launch cloud-based services to a transatlantic audience without having to set up data storage facilities in every European state where they have customers.
The court held that the arrangement, which the European Commission negotiated with the U.S. government in 2000, wasn't compatible with the European Union's Charter of Fundamental Rights because U.S. companies are required to comply with the NSA's large-scale efforts to collect data in ways that violate EU privacy rules. U.S. companies can satisfy the EU rules in other ways, but they are so costly that smaller ones may be driven out of the continent.
It's tempting to say to the NSA, "This is another fine mess you've gotten us into." But the EU's right to privacy includes an exemption for national security surveillance; the problem here is that the European Court of Justice didn't think what the NSA was doing qualified for the exemption, and it didn't want the European Commission stopping privacy regulators in the 28 European countries from imposing their own terms on U.S. companies.
One irony is that safe harbor gives European users' data more protection than they would get from U.S. law alone. That was the point of the agreement: to set a higher privacy standard that the Federal Trade Commission would enforce. Tuesday's ruling could create what amounts to 28 different privacy regimes for firms seeking to transmit customer data from Europe to the U.S., a morass that would only discourage U.S. Internet companies from serving the region.
That's why European and U.S. officials should come up with a new safe harbor as soon as possible. Congress can help that effort by tightening the limits on the data the NSA can collect and by giving Europeans the same rights as U.S. citizens to redress privacy wrongs in court. And the European Commission can help by making sure that the agreement sets a standard that all countries in the region will live by. Although talks between the two sides have been under way for some time, the European Court of Justice's ruling should spur them to a swift conclusion.