ECJ Judgement on "Safe Harbour" has big implications for global companies

This isn’t final, but “usually followed” and has big implications for cross-border data storage that will affect large companies and could create a big barrier to mass surveillance.

The opinion by Bot contains far-reaching recommendations that
threaten to upend many current commercial practices and assumptions in
the digital industry.

If any EU country considers that transferring data to servers abroad
undermines the protection of citizens, the advocate general’s finding
said, it has the power to suspend that transfer “irrespective of the
general assessment made by the [EU] commission in its decision”.

“The access of the United States intelligence services to the data
transferred covers, in a comprehensive manner, all persons using
electronic communications services, without any requirement that the
persons concerned represent a threat to national security,” Bot’s
opinion noted in one of its most damning sections.

“Such mass, indiscriminate surveillance is inherently
disproportionate and constitutes an unwarranted interference with the
rights guaranteed by Articles 7 and 8 of the charter [of fundamental
rights of the EU].”

The Luxembourg court found the Safe Harbor agreement
between the US and Europe, which gives spies access to huge banks of
data, does not stop watchdogs from investigating complaints or bar them
from suspending the transfers.

The arrangement allows the NSA
to use the Prism surveillance system exposed by Snowden to wade through
billions of bits of personal data, communication and information held
by nine internet companies.

The opinion states that the commission’s past decision on Safe Harbor within the US is invalid. It said internet users in Europe have no effective judicial protection while the large-scale data transfers are happening.


Okay I feel like a complete idiot here but I’m not exactly sure what all that meant. Could someone break all that down.

Basically its saying

  • the “advocate general” has power to reverse general assessment made by the [EU] commission in its decision over allowing companies to moving EU data & data stores offshore. Usually this is where it involves EU citizens private data
  • the USA policy using the NSA to vacuum all data that passes through its borders makes the EU citizen’s data insecure and no longer private.
  • So the “advocate general” may reverse the decision to any data to be stored off shore (typically that means in the USA) where it feels EU citizen’s privacy is being breached.

It is about the private data, I doubt it is about facebook etc which is considered public data

1 Like

But FaceBook holds itself out as providing some degree of privacy. It doesn’t but I wish the EU would slap it around. My sense is some day it will come out that FaceBook was just a prism cover from the start. It was something manufactured by the US state. One of my fondest hopes is that SAFE can put FaceBook out of business with an open source version that either doesn’t make money at all or doesn’t make it off exploiting people or interrupting them with ads. Its really just a form of social search it can be replaced.

This will damage the old internet but personally I think its great. The EU actually cares about it cares about its people but also doesn’t want domination by US firms and wants to make room for EU alternatives.


Hey @Blindsite2k

So the EU has data privacy laws that give several rights to ordinary people. Most importantly EU law grants their people a procedure by which they can complain to a relevant State Agency that Company X is misusing their data, publishing it when it was supposed to be private, publishing false information etc.

Now the immediate loophole here is that if a company can transfer data to an offshore server which is technically owned by a shell company, then the EU person is out of luck because even in those countries that ostensibly award some kind of privacy rights, there is no process or authority that you can complain to about who is holding your data.

So to counter this most obvious loophole, the EU says that if you collect or obtain personal data from EU persons (so this is broader than just citizens) you CANNOT take it out of the EU unless the country you are taking the data to has adequate substantive and procedural rights so that you can effectively exercise what the EU give you.

Now, it may come as a shock to all of you, but the U.S. does NOT meet this requirement. There was an EU case which held that, and for a little while, NO EU data could be transferred offshore.

So what the EU did was they put out Model Contracts (which apply to a specific transaction) and Binding Corporate Rules (which apply to the entire corporate structure), and which are basically an attempt to get companies to contractually obligate themselves to give the EU persons the same rights they have over data which has been transferred out of the EU. They collectively call these contracts a Safe Harbor.

Now what the EU had held was that the US failed to make personal data rights available by law. What is happening now is that the EU is recognizing that the actual practice of the U.S. makes it IMPOSSIBLE for a company which is operating in U.S. territory to comply with the safe harbor provisions. (What Snowden has revealed is that the US has made it impossible for any company operating anywhere to meet that standard, but thats another issue).

So this is a big deal. Hope that helps.


It does since I had no idea bout all the proceedures and beaurocracy of the EU, hence all the confusion.

1 Like

Glad to be of service.

Why wouldn’t I (let’s say, a small US provider of hosting services) operate out of the US only and sell services to EU citizens?
The likes of FB and Google may not be able to do the same because they must sell ads in the EU and they must have employees and accounts in the EU if they want that to work smoothly.

1 Like

The short answer is, the reason you wouldn’t is that you would be violating EU law, and they might bring any of the normal ways to enforce the law against people outside their jurisdiction. They could complaint to the FCC. They could get a civil judgement for damages against you in an EU court, and if you don’t show up to defend, then they can send the judgement over to the US and likely it will be enforced against you, likely under the same treaties that the US uses to freeze swiss bank accounts etc.

One of the little understood side effects of the U.S.'s relentless world-wide pursuit of terrorist financing is that in order to get other countries consent to rely on U.S. warrants in freezing and seizing assets they had to agree to subject the U.S. (that is U.S. citizens) to that other country’s warrants. This is only a downside if the U.S. government was concerned with the rights and liberties of U.S. citizens, which I leave for you to evaluate as you see fit.


Yes well it seems that if it affects profit margins then the rights of citizens will become of great concern to big corporations.

The US isn’t because its been corrupted and needs a roll back of crony law. The UK is doing the same as the US or even more, which is part of why the rise of Jeremy Corbyn is important…

There is the option of injunction where the EU simply boots the US firms from the market in addition to asset freezing and forfeiture. Now when people think there aren’t capital controls or that capital flight is condoned or is so easy they need to consider this. Protectionism is finally setting in to stop the pitting of ordinary people against each other in a downward death spiral that’s no more honorable than one 18 year old fighting another with bayonets in another war for money. Privacy is the best basis for rights assertions and this is a rights assertion against money and it shows money is not speech and it shows that there are no corporate rights because they wouldn’t even be secondary. Amazing how quickly the insanity of injustice fades when subjected to the light of justice. At the same time all but Germany in the EU have been engaging in the austerity idiocy.

Even if this splits the internet it will be worth it because a fully corpratized internet is as wortheless and democracy destroying as sponsor driven cable TV. We don’t need a corporate curated net. Bring on the SAFE disruption to end the corporate and corporate state cooptation!

1 Like

I’ve got to fundamentally disagree with you there Warren. A global internet, is all things considered a really hard market to “Dominate” in a cronyist manner. A national or regional internet is Much Much easier to do the same thing to.

One of the greatest strengths of the internet is that we deal everyday with persons or entities who are under different jurisdictions. We are not limited to people bound under the same laws which we have for good or bad.

If that changes, I don’t think it will be a good thing.


thanks @kirkion for very insightful and crips summaries (not your first one that I highly appreciated!)


I know the Internet is man’s greatest achievement, as great as language, the one to unify the globe and our best chance for peace. But stand by. Amazon is refusing to contine to sell Google’s Chrome Cast and Apple TV because despite being best sellers they interfere with Amazon’s walled garden plans. Amazon is not alone in the US with this mentality.

Because the US is money first I think they back down.
At the same time since the value control by money above all else if it looks like a so called trade war over their attempts to violate EU citizen’s privacy they probably back down while trying to insist they are right.

Over here the Washington consensus types see the net as a puppet spy network and means of social control and a way to help push stuff like the DMCA and SOPA/PIPA/CISPA/TPP. They will turn your EU internet into Fox News as they are trying to do in the US. They don’t even accept neutrality, they demand paid discrimnation and censorship instead. They convinced Americans that its necessary to give puppet media billions of dollars to elect someone which they use to fuel more lies. They are money first and people last. They think social control through money is a right they’ve earned through their frauds. They actually think its a post 911 world as if their 911 fraud happened to the EU too. But EU members especially France were always skeptical and now appear to be drawing a line on the abuse. Corbyn is right in pointing to Blair-Bush-Cameron as the terrorists. Were these agreements needed to track Bush, Blair Cameron’s money?

The US Right’s idea of the internet is command and control exploitation and you’re supposed to pay $100 plus a month for a slow connection with little upload bandwidth but regular increases and no choice of provider. Better to severe the gangrenous limb and replace it with SAFE.

1 Like

FACTA is one way.
I don’t think that civil judgments from the EU translate to the US, but I will take a look.

Edit: I don’t see how this EU nonsense would apply in the US.
I see it hit more than one of these bullshit detectors listed here:

1 Like

Which ones? Out of curiosity

Random pick: “did not have personal jurisdiction over the defendant”

If I am a US based company providing service to the world and I inform users that data is held in the US, I bet the US government would not enforce some bullshit lawsuit by some European resident.

If you have a business which “sells services to EU citizens:”

How would the EU not have personal jurisdiction over you?

WTH, how would not China government have jurisdiction over people on this forum calling the country undemocratic?

Well, calling China undemocratic is not the same thing as offering goods or services to Chinese. This is the same principle that say California uses to regulate people living in Nevada (who sell goods to Californians), or New York uses to regulate all bitcoin services offered to its people.

Its a basic feature of the regulatory state, and is pretty well accepted by all the major economies. It may not be right or just or fair in some abstract sense, but it is the law for the 90% of the human race that lives in meaningful economies.

1 Like