The ‘Safe Harbor’ Data Transfer Pact is Ruled Invalid
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
Earlier this month, US companies operating in Europe got some unwelcome news: the Data Transfer Pact between the European Union and the United States, more commonly known as “Safe Harbor,” is invalid.
For over 15 years, Safe Harbor had ensured that companies with EU operations could transfer online data about their employees and customers back to the United States despite stark differences between US and European privacy law.
Earlier this month, US companies operating in Europe got some unwelcome news: the Data Transfer Pact between the European Union and the United States, more commonly known as “Safe Harbor,” is invalid.
For over 15 years, Safe Harbor had ensured that companies with EU operations could transfer online data about their employees and customers back to the United States despite stark differences between US and European privacy law.
With the exponential growth of the digital economy, “cross-border transfers of data have become critical to the core operations of both large and small enterprises,” according to the Software Alliance, a trade group whose members include Intel, Intuit and IBM (and that’s just the “I’s”). “Companies need to share product designs, marketing plans, customer records, inventory data and other essential information between offices and among business partners in order to effectively manage their operations,” according to one of its reports.
The free flow of information enables companies to do everything from centralizing payroll and human resources information at the mother ship in the US to amassing the web search histories, social media updates and online purchases that fuel online advertising, a business expected to be worth US$80 billion worldwide by 2018.
The European court’s ruling has serious implications for these companies’ business models and profitability, leaving many scrambling to find solutions. However, it also exposes a fundamental cultural rift between the US and Europe’s conceptions of privacy – one that a new agreement will not be able to paper over.
European Court of Justice steps in
Over 4,000 US companies joined Safe Harbor, which required only that a company certify that personal data, once transferred, would enjoy the same level of protection in the US as it did in Europe.
Sadly, that proved not to be the case. In 2013, when Edward Snowden revealed that the National Security Agency was collecting the content of millions of online communications through its Prism program, Europeans realized that the “just trust us” system of self-certification by US companies like Facebook was not protecting the data of European customers from NSA surveillance.
The European Court of Justice did not “like” this one bit.
Max Schrems, an Austrian law student, had been challenging Facebook’s privacy practices for several years. Snowden’s leaks prompted him to file another complaint, saying that Facebook could not legally transfer his online data to the United States because Safe Harbor was not ensuring its protection.
Schrems’ case eventually reached Europe’s highest court, which did not mince words. The NSA’s wide-ranging surveillance of Europeans’ personal data, it wrote, was threatening “the fundamental right to respect for private life.” The court effectively threw out the Safe Harbor agreement, telling privacy regulators in each member country to figure out if US companies were complying with European law.
Snowden responded on Twitter:
Congratulations, @MaxSchrems. You’ve changed the world for the better.
— Edward Snowden (@Snowden) October 6, 2015
Culture clash, part I: the fight over privacy
The court’s decision rests on a completely different vision of privacy from that of the United States. In Europe, privacy is a fundamental right, trumping even free speech. In the US, not so much. We mostly believe what one tech CEO said back in the ‘90s: “You have zero privacy anyway. Get over it.”
As I have previously written, United States law often confuses privacy with secrecy. Even in regular criminal investigations, there is sharing of once private information with anyone. The Fourth Amendment right to be secure from unreasonable searches and seizures no longer protects private information. Therefore, law enforcement can examine your phone records and bank statements without a warrant because you have not kept this information completely secret – you have shared it with a third party, either the phone company or the bank.
In Europe, if information is personal to you, you have the right to decide how it can be used, even if already collected by Google or Facebook. Just last year, the European court upheld a “right to be forgotten” powerful enough to force search engines to take down links leading to inaccurate or outdated information.
Culture clash, part II: the fight over surveillance
Under Section 702 of the Foreign Intelligence Surveillance Act, the US government can collect the contents of electronic communications, including telephone calls and emails, where one reasonably believes the target to be a non-US person located outside the United States.
Even though these online communications are not technically collected in bulk, hundreds of millions of transactions are intercepted, either through demands made to internet service providers through the Prism program, or through so-called upstream collection, where information is siphoned from the internet’s telecommunications “backbone” over which data travels.
Europe’s concept of individual dignity and privacy cannot happily co-exist with an NSA intelligence-gathering operation on this scale. But which side will give in?
Google and Facebook have warned that NSA surveillance practices could end up breaking the internet if they are not reformed. The result would be different countries walling off their networks, a trade and innovation disaster.
On the other hand, the European approach might be at odds with the borderless architecture of the internet. As one leading security expert put it, “surveillance is the business model of the internet. We build systems that spy on people in exchange for services. Corporations call it marketing.”
So what happens next?
Ah. I was afraid you might ask that.
Large businesses are operating as usual, only with armies of lawyers behind the scenes redrafting contracts and figuring out next moves. Some are speeding up plans to build European data-storage facilities, even though it is not clear that geographical siloing of data will really protect against NSA surveillance. The situation is even more daunting for smaller companies, which represent 60% of the users of Safe Harbor. Data service and storage companies working for US multinationals risk replacement by European companies if data cannot be transferred.
The European Commission has promised new guidance soon, but negotiations between Europe and the United States for a new data transfer pact have been dragging on for two years. Worse, any agreement will have to address the fundamental incompatibility between European and American laws. If US companies pledge to keep data safe, they could find themselves in violation of NSA demands for “compelled assistance,” potentially exposing them to fines as high as $250,000 a day. But if US companies comply with NSA requests for user data, they might be violating Europe’s privacy laws and face fines from their European hosts. So what’s a company to do?
For now, the US Department of Commerce is “continuing to administer the Safe Harbor program, including processing submissions for self-certification.” It does add, however, that companies might want to call a lawyer.
One thing is certain. It is going to be a legal fees bonanza.
Ruling shows Europe still vexed over NSA spying, leaving US companies in legal limbo is republished with permission from The Conversation
