Last month, the European Court of Justice found that the privacy of European data is not sufficiently protected by the trans-Atlantic agreement known as Safe Harbor. As a result, the court invalided the agreement.
The E.U. and U.S. government are now working to establish a new trans-Atlantic data-transfer accord. As an example of these efforts, the House recently passed the Judicial Redress Act (H.R. 1428) — a step in the right direction. The act enables foreign citizens to have the same legal rights as U.S. citizens, if their individual privacy is violated by government. In many ways, the Judicial Redress Act will serve as the foundation for the agreement that replaces Safe Harbor and must be considered a part of the solution, starting with passage of the legislation in the Senate.
Safe Harbor allowed for the flow of data between the E.U. and the U.S. without the need for individual agreements between each jurisdiction and company. Without Safe Harbor, every type of industry that relies on trans-Atlantic data transfers has been required to quickly come up with an alternative legal basis for data transfers — from airline companies to financial services, data storage providers to social media platforms. Given the economic and social costs to industry and individuals, a new data sharing agreement must be developed to address the security and privacy concerns in the U.S. and E.U. A new agreement must also provide a process that allows law enforcement to access and exchange data across borders, while simultaneously respecting individual privacy.
A balancing act: Privacy and national security
In 2000, the U.S. Department of Commerce and the European Commission agreed to a set of data transfer principles for outlining the protection of data no matter where the data is processed and stored — Safe Harbor. Under these principles, a U.S. or E.U. company that declared it would uphold Safe Harbor was then allowed to transfer data between countries.
In response to the terrorist attacks in September 2001, the Patriot Act was enacted, giving the U.S. government the ability to collect information about U.S. citizens and foreigners without consent or a search warrant. While companies agreed to uphold Safe Harbor for trans-Atlantic data transfers, the U.S. government had given itself a surveillance mechanism that was in conflict with the E.U. data directive and the Safe Harbor framework on which it has been based. The dissonance between these two laws was the starting point for disagreement. This was only exacerbated in 2013 by the revelations that the National Security Agency was collecting data without regard to E.U. data protection laws. Europeans felt their rights had been violated.
Given the length of time that the U.S. government has gathered data without consent, it is surprising that the Safe Harbor framework lasted as long as it did. A new Safe Harbor agreement must include a streamlined process for law enforcement to get information and data across borders that also respects individual privacy rights. Passing the Judicial Redress Act in the Senate will be the first step in ensuring these protections and establishing much-needed processes.
What this means for government, companies and consumers
Without the Safe Harbor framework, companies are faced with the almost insurmountable task of establishing data sharing agreements with individual regional jurisdictions. Without these agreements, a global company’s operations are now in question and they must think twice about investing abroad.
Consumers, if not directly effected as employees of companies that curtailed trans-Atlantic operations, would be faced with the loss of the Internet as its known today, a means of global commerce, information and communication exchange. Without agreements in place to provide “borderless” transfers of data, there will be no trans-border mechanism for e-commerce, sending and receiving emails, or sharing personal information using social media. In other words, without Safe Harbor, the backbone of modern technology — information exchange — will be significantly hampered.
While the U.S. and E.U. governments have reached an agreement in principle on a new data sharing agreement, leaders of both governments, privacy advocates and technology companies must continue to work together quickly to establish a new data sharing agreement that builds upon Safe Harbor. This new agreement must put privacy first and strengthen the protections afforded in the E.U., U.S. and across the world. We are in desperate need of a streamlined process to send information across international borders that also respects individuals’ privacy rights.
What needs to be done
Much has changed in the U.S. since the 2013 revelations about the NSA’s surveillance activities, and new meaningful limitations are now placed on the U.S. government’s bulk data gathering practices. However, the European Court of Justice’s invalidation of Safe Harbor has serious consequences for both U.S. and European economies unless a solution is found quickly.
Privacy advocates and technology companies alike have suggested that the invalidation of Safe Harbor is an opportunity to improve upon the status quo. Moving forward, the Judicial Redress Act and other similar legislation in the U.S., such and the Law Enforcement Access to Data Stored Abroad Act that works to reform the Electronic Communications Privacy Act, must be enacted with a sense of urgency.
As policymakers in Washington, D.C. continue to discuss Safe Harbor and digital trade after multiple hearings on Capitol Hill and a recent visit from E.U. Justice Commissioner Vera Jourova, they must work with their partners across the Atlantic to put aside their differences and fast track new digital privacy laws that address the fundamental human rights to privacy and national security in a way that protects both U.S. and European citizens.