US-EU Data Transfer Deal Gets Struck Down

Happy Thursday everyone.  On Tuesday, there was a significant development out of the European Union that significantly complicates how international companies operate.  In 2000, the US and EU put a data sharing agreement into place to govern how companies transferred data between the two regions (known as the Safe Harbor Agreement, not to be confused with the DMCA’s Safe Harbor provisions).  The Safe Harbor Agreement required tech companies to follow European standards for digital privacy in exchange for the ability to move that information back to servers located in the US.  The European Court of Justice (ECJ) ruled that the Safe Harbor Agreement was invalid under the EU’s right to privacy, specifically under Article 8 of the European Convention for the Protection of Human Rights).  The text of the ruling can be found here.

As the New York Times points out, the root of this ruling lies in differences in how the US and EU view digital privacy.  The US “mostly [views data privacy] as a consumer rights issue” whereas the EU views data privacy as a fundamental right (think of how the US views free speech or freedom of religion).  This difference of views is fundamental, and bound to result in issues (as evidenced by the attempts to renegotiate the Safe Harbor Agreement prior to this ruling).  This disagreement reared its ugly head last year with the ECJ ruling that European citizens had a “right to be forgotten“, where individuals could request that search engine companies like Google remove them from search results.

However, Snowden’s revelations on the scope of US data surveillance proved instrumental in the ECJ’s decision.  The ECJ directly cited the access of US intelligence agencies as evidence for the US not holding European data to the levels required by the Safe Harbor Agreement.  The ECJ noted that many of the companies involved in the suit possessed Safe Harbor certification from the Department of Commerce (the certifying authority on the US side). The ECJ rejected the US counsel’s assertion that these programs represented targeted intelligence gathering efforts.  The ECJ tasked individual country’s national security authorities with reviewing complaints and making rulings on matters previously covered by the Safe Harbor Agreement.  If so, this represents significant fallout from Snowden’s revelations about the breadth of US intelligence gathering in the digital realm.

The judgment also covers the use of the data by US companies.  The parties bringing the suit at the ECJ primarily brought suit against American tech companies for failing to adhere to EU standards of privacy protection, meaning that these companies represented the focus of the lawsuit (more so than the NSA or US government).  This makes sense, given that the Safe Harbor Agreement’s execution lies primarily with American tech companies that traffic in astounding amounts of information (such as Facebook and Google).

This ruling has a significant impact on these companies.  The Safe Harbor Agreement played a significant role in simplifying data sharing by international companies between their American and European branches.  In addition, companies like Google and Facebook rely heavily on access to data for their business models.  Both companies profit heavily on the ability to mine substantial amounts of data, and anything that jeopardizes that flow of data will have a significant effect on their bottom line.  In addition, many international companies may have trouble sharing information related to routine business between their European and American branches.  For example, an American company with European subsidiaries may not be able to share payroll for HR information between branches (at least not until a new agreement gets put into place).  At any rate, dealing with individual countries’ national security authorities presents a significant extra step for American companies operating in Europe.

This ruling also gives the EU substantial leverage with the US negotiators going forward.  The impact on US firms (an estimated 4700 companies utilized the Safe Harbor Agreement) will likely place significant pressure on the Department of Commerce.

What will be interesting to observe going forward is how this affects US policies on data privacy.  This ruling places a lot of pressure on the US to abandon the self-certification that the Safe Harbor Agreement previously put into place.  There is also a significant question how the EU will synthesize the data protection standards of their various member countries.  If nothing else, the US may have to strengthen our own data privacy rules and regulations in order to get a new agreement put into place.  All that’s really known at this point is that sharing data between the US and EU just became a headache.  How that headache is resolved is a matter worth following.  Stay tuned for continuing developments on this front.

Advertisements