The European Court of Justice’s invalidation of a European Union-U.S. data protection agreement this month sent shock waves through U.S. businesses and caused Congress and President Barack Obama’s administration to scramble for a solution.
The EU’s highest court said on Oct. 6 the U.S. doesn’t do a good job of safeguarding EU citizens’ personal data or privacy, as required under the Safe Harbor Agreement reached in 2000. The agreement allowed U.S. companies to transfer personal data from the EU to the United States as long as they follow privacy standards from the European Union’s Data Protection Directive. The decision has left Congress and the Obama administration struggling to find a new balance between the surveillance needed for national security and privacy in a way that allows U.S. companies to do business in the EU. And Washington is seeking that balance without certainty it will satisfy its overseas allies.
More than 4,000 U.S. companies are meanwhile figuring out how to operate in a world that increasingly relies on moving data across borders.
Companies that transfer data under the Safe Harbor Agreement are breaking the law, according to guidance released by an EU working group.
The group said EU authorities are ready to take unspecified enforcement actions if no “appropriate solution” is found by the end of January 2016.
The court’s invalidation of the Safe Harbor Agreement is “collateral damage in the global dialogue on surveillance,” said Nuala O’Connor, president & CEO of the Internet-rights advocacy group Center for Democracy and Technology. She has been chief privacy officer at the Department of Homeland Security and worked on privacy issues for General Electric and Amazon.
Fixes in Motion
The court ruled in a case brought by Austrian privacy activist Max Schrems, who argued that in light of the Edward Snowden revelations, the transfer of European Facebook users’ data to U.S. servers made the information susceptible to surveillance by U.S. intelligence.
Companies rely on moving data across borders, and limits on doing so would present an immense business challenge. Businesses are also increasingly relying on the cloud, which allows data to be stored on servers anywhere in the world.
“Imagine trying to complete a purchase online and being told that your purchase has been blocked because your credit card information needs to be processed somewhere else,” wrote Microsoft President and Chief Legal Officer Brad Smith in a recent blog post. “Imagine having your airline reservation rejected because your passport information cannot be transmitted by the airline to the country where you want to fly.”
He said preventing data from crossing borders would be a “return to the digital dark ages.”
The House reacted to the court decision by passing the Judicial Redress Act (HR 1428) two weeks later. The legislation would allow citizens of designated foreign allies to review information collected on them by the U.S. government and sue when they believe that information has been mishandled.
Bill sponsor Rep. Jim Sensenbrenner, R-Wis., said the legislation is “a positive step in restoring our international reputation and rebuilding trust.” The bill awaits action in the Senate.
O’Connor said the measure provides “more of a symbolic equality, but it is at least showing the U.S. is willing to examine its own laws.”
The U.S. Chamber of Commerce, civil liberties groups and companies including Facebook, Google and Microsoft pushed for passage of the bill, saying it can help restore trust by providing greater transparency to EU citizens concerned about how their data is handled. Supporters hope the bill can lead to a new agreement.
The Department of Commerce, already trying to update the Safe Harbor Agreement for two years, is now feeling pressure to move quickly.
A bipartisan, bicameral group of more than 50 lawmakers sent a letter on Oct. 14 to Secretary of Commerce Penny Pritzker and Federal Trade Commission Chairwoman Edith Ramirez urging immediate steps be taken toward a new pact.
In the letter, the lawmakers noted that data flows between the U.S. and EU are the highest in the world.
“Disruption of this free flow of information would have unfortunate effects on students, consumers, and businesses, as well as speech and innovation more generally,” they wrote.
The court decision also spurred members of the House Energy and Commerce Committee to seek a briefing from the Commerce Department on the impact of the decision and the next steps required to negotiate an updated deal. A committee staffer said the briefing is scheduled for the last week of October.
Commerce officials agree that a new agreement must be struck quickly.
“The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible,” Pritzker said in a written statement.
A Referendum on Surveillance
The U.S. efforts are taking place without certainty they will satisfy the EU. The EU working group guidance emphasized that data transfers must “respect fundamental rights.” EU courts say privacy is one of those rights.
Henry Farrell, associate professor of political science and international affairs at George Washington University, said questions of whether the U.S. needs to limit its ability to gather information on foreigners for purposes of national security will be “a very tricky question for the U.S. to face up to.”
Groups including the Center for Democracy and Technology, the international Internet-rights group Access and the technology think-tank Information Technology and Innovation Foundation are urging revisions to surveillance laws.
“There is a clear need for the U.S. and Europe to set clear, lawful, and proportionate standards and safeguards for conducting surveillance for national security purposes,” said Jens-Henrik Jeppesen, director of European Affairs at the Center for Democracy and Technology.
He specifically called for changes to Section 702 of the Foreign Intelligence Surveillance Act, which authorizes the National Security Agency to review Americans’ emails and phone calls with foreigners.
“The U.S. Congress should act quickly to provide greater privacy protections to everyone caught up in the U.S. mass surveillance dragnet, and help restore confidence in U.S. tech companies,” Jeppesen said in a written statement.
Companies in Limbo
Until a new agreement is reached, U.S. companies are left to figure out what they can do with data. Companies can, for example, rely on contractual clauses with customers allowing data movement. Microsoft uses such a clause, though it still calls for other measures to address the broader uncertainty around data transfers.
Companies without such clauses have to find other solutions by the end of January. They could keep the data within the EU or send it only to servers in countries that meet the EU standards for data protection.
“They will have to reorganize many of their business practices. It will be very expensive for them,” Farrell said. “They can basically blame U.S. surveillance for substantially damaging their business model.”