Europe's top court on Tuesday delivered a historic blow to mass surveillance with a ruling that found the right to personal privacy trumps government spying.
The European Court of Justice (ECJ) found in its decision (pdf) that the so-called "Safe Harbor" agreement, which allowed U.S. companies to "self-certify" that they met strict privacy safeguards while pulling data from European servers, "must be regarded as compromising the essence of the fundamental right to respect for private life" as guaranteed by the European Convention on Human Rights.
The case was brought by Austrian privacy activist Max Schrems, who argued that American surveillance operations such as PRISM—exposed by National Security Agency (NSA) whistleblower Edward Snowden in 2013—rendered useless the privacy safeguards in the Safe Harbor agreement, which for years has allowed technology companies to transfer user data across continental boundaries.
Tuesday's ruling was celebrated widely by privacy advocates, including Snowden himself, who toasted Schrems on Twitter, writing, "Congratulations, @MaxSchrems. You've changed the world for the better."
The bottom line, Snowden said, is that "the #SafeHarbor ruling indicates the indiscriminate interception of communications is a violation of rights."
The ECJ's ruling means companies in the U.S. and EU have to come up with alternative ways of transferring user data—and could impact as many as 4,000 firms, including tech giants like Facebook and Google.
Jens Henrik-Jeppesen, director of European Affairs at the Center for Democracy and Technology (CDT), said the ECJ's decision "shows the need to step up reforms of government surveillance practices."
"The invalidation of the Safe [Harbor] agreement should spur governments on both sides of the Atlantic to ratchet up long-overdue reform efforts," Jeppesen said, adding that it was "undoubtedly a major jolt for companies and will likely adversely impact their operations."
Schrems specifically named Facebook in his complaint (pdf) to the ECJ, charging that the company forwards information from its Ireland office, where data on more than 83 percent of its users is stored, directly to the NSA and other U.S. intelligence agencies.
Moreover, the court said, the U.S. did not provide adequate recourse for European citizens seeking legal redress over violations of their privacy rights, which "compromises the essence of the fundamental right to effective judicial protection."
"This judgement draws a clear line," Schrems said on Tuesday. "It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible."
As for what real-world solutions may be on the horizon, Schrems said the U.S. government would have to implement "severe changes" in American law and "more than just an update to the current 'safe harbor' system. Otherwise full compliance with EU fundamental rights and the judgment will be very hard to achieve."
But, he said, "There are still a number of alternative options to transfer data from the EU to the U.S. The judgement makes it clear that now national data protection authorities can review data transfers to the U.S. in each individual case—while the 'safe harbor' allowed for a blanket allowance."
Despite some "alarmist comments" about how the ruling may impact the way tech companies do business, Schrems said he sees no reason why better data protection and reviews of data transfers would cause "major disruptions" for consumers or providers.
Nonetheless, notes Electronic Frontier Foundation international director Danny O'Brien, the "fundamental incompatibility of U.S. mass surveillance with European data protection principles" could "certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect."
However, O'Brien added, it will take more than better "reviews" of data transfers to protect Europeans from mass surveillance.
The "geographic siloing of data" by itself, he argues, "is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you'll find the NSA—or other European states, or even your own government— breaking into those systems to extract it."
Other observers had even stronger words for the decision. The World Wide Web Foundation called it a "landmark judgment." The internet advocacy group's global campaign manager Renata Avila said, "Today's Judgment puts people's fundamental right to privacy before profit."
"Without effective safeguards for privacy, the Web as we know it could wither and die," Avila said. "Following today's ruling, new safeguards must now urgently be put in place that protect the Web as it should be, a secure and private space where people can start businesses, research confidential topics or just chat with friends without the fear of being subjected to unwarranted government snooping."