The invalidation of an agreement that allows personal data to flow between Europe and the US has prodded officials to search for a new solution. Facebook and NSA mass surveillance are at the center of the debate.
“It has been an earthquake, 7.8 on the Richter scale,” US Federal Trade Commissioner Julie Brill said of the European Court of Justice (ECJ)’s October 6 ruling that voided the agreement used for the past 15 years to deal with the big variances between EU and US data privacy rules. Brill, speaking at a recent European Institute breakfast in Washington’s Cosmos Club, added, “It is kind of like the abortion and gun-control debates here wrapped up in one.”
The Luxembourg-based ECJ sided with Austrian data privacy warrior and Facebook user Max Schrems, who sued the company in Ireland for moving his data from its Irish subsidiary to its California headquarters, where it can – allegedly – be scoured by the National Security Agency (NSA). The ECJ found that in light of the 2013 Snowden disclosures about programs like PRISM that give the NSA access to citizens’ emails, the “Safe Harbor” agreement that the EU Commission negotiated with the US administration in 2000 does not adequately protect personal data, as it was supposed to. So, what next?
EU Ambassador to the US David O’Sullivan told DW: “We would all prefer to have a new Safe Harbor regime, and we understand the urgency of the issue.” O’Sullivan is confident that a successor agreement, one which fully integrates the new ECJ case-law, will ensure Europeans’ privacy rights are respected without needing to interrupt data flows.
Companies are nervous, mindful that if they make a wrong move they can be alternately fined for breaching privacy law, forced to interrupt personal data flows, or required to make costly changes to their corporate structure or governance. “There is going to be a lot of losers from this ruling,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF), a Washington think-tank focused on the digital economy.
Castro predicted that smaller-sized businesses using software and devices produced by giants like Apple, Facebook, Google and Microsoft would have the most to fear, because they lack the financial resources to hire the necessary people to come up with solutions. More than 4,000 companies signed up to the 2000 agreement, vowing to follow European privacy norms in return for a free data flow.
He raised the specter of a “splinternet” emerging, where data-processing centers spring up in multiple countries as firms try to avoid falling foul of divergent privacy laws. “We are seeing an increase in the number of data centers in Europe, although it is hard to say what is causing this,” Castro said.
US lacks data-privacy legislation
While governments and businesses want to see the swift conclusion of a “Safe Harbor 2.0,” Marc Rotenberg, president of the Electronic Privacy Information Center, an advocacy group in Washington, doubted that such a new regime will withstand further legal challenges.
European and American privacy frameworks are simply too different to enable transfers to continue legally, he maintained. In particular, the US – unlike Europe – has no overarching data-privacy law for the commercial sector. Moreover, the NSA – a public authority – cannot claim to provide adequate protection of personal data if – as alleged – it runs surveillance programs that collect emails and phone records from hundreds of millions of ordinary citizens.
Ambassador O’Sullivan acknowledged that the big sticking point in the EU Commission-US Department of Commerce negotiations on a new Safe Harbor is government surveillance. But he insisted there has been progress. In June, the US enacted legislation to rein in the NSA’s ability to do dragnet surveillance of Americans’ phone records. That legislative fix – the USA Freedom Act – notably excluded from its scope surveillance of people living outside the US.
And on October 20, the US House of Representatives passed the Judicial Redress Act, which gives Europeans the right to petition US courts if they feel a US government agency is misusing their data. The bill still needs to pass the Senate and be signed by President Obama (who supports it). In addition, EU and US negotiators are near to finalizing a so-called umbrella agreement that lays down privacy rules for when their police and criminal justice authorities share information with each other.
But despite these moves towards rapprochement, the issue is likely to remain an irritant for transatlantic relations even if a successor Safe Harbor agreement is wrapped up, given the chasm between the European and American legal systems.
In the face of this conundrum, the president of Microsoft is floating a more radical solution: that US authorities wanting to access an EU resident’s personal data would need to get permission from the individual’s home county, with requests assessed according to their own, not US, law. In a recent blog post, Brad Smith, who serves as Microsoft’s chief legal officer, said this solution, crucially, would comply with the ECJ’s demand that America provide “essentially equivalent” protection to Europeans’ personal data.
“Privacy really is a fundamental right,” argued Smith. “We need to ensure across the Atlantic that people’s legal rights move their data.”