Earlier this month, US companies operating in Europe got some unwelcome news: the Data Transfer Pact between the European Union and the United States, more commonly known as “Safe Harbor,” had been ruled invalid.
For over 15 years, Safe Harbor had ensured that companies with EU operations could transfer online data about their employees and customers back to the United States despite stark differences between US and European privacy law.
With the exponential growth of the digital economy, “cross-border transfers of data have become critical to the core operations of both large and small enterprises,” according to the Software Alliance, a trade group whose members include Intel, Intuit and IBM (and that’s just the “I’s”). “Companies need to share product designs, marketing plans, customer records, inventory data and other essential information between offices and among business partners in order to effectively manage their operations,” according to one of its reports.
The free flow of information enables companies to do everything from centralizing payroll and human resources information at the mother ship in the US to amassing the web search histories, social media updates and online purchases that fuel online advertising, a business expected to be worth US$80 billion worldwide by 2018.
The European court’s ruling has serious implications for these companies’ business models and profitability, leaving many scrambling to find solutions. But it also exposes a fundamental cultural rift between the US and Europe’s conceptions of privacy – one that a new agreement won’t be able to paper over.
European Court of Justice steps in
Over 4,000 US companies joined Safe Harbor, which required only that a company certify that personal data, once transferred, would enjoy the same level of protection in the US as it did in Europe.
Sadly, that proved not to be the case. In 2013, when Edward Snowden revealed that the National Security Agency was collecting the content of millions of online communications through its Prism program, Europeans realized that the “just trust us” system of self-certification by US companies like Facebook was not protecting the data of European customers from NSA surveillance.
The European Court of Justice did not “like” this one bit.
Max Schrems, an Austrian law student, had been challenging Facebook’s privacy practices for several years. Snowden’s leaks prompted him to file another complaint, saying that Facebook couldn’t legally transfer his online data to the United States because Safe Harbor wasn’t ensuring its protection.
Schrems’ case eventually reached Europe’s highest court, which did not mince words. The NSA’s wide-ranging surveillance of Europeans’ personal data, it wrote, was threatening “the fundamental right to respect for private life.” The court effectively threw out the Safe Harbor agreement, telling privacy regulators in each member country to figure out if US companies were complying with European law.
Snowden responded on Twitter:
Congratulations, @MaxSchrems. You’ve changed the world for the better. http://t.co/HmGpRq5Dgt pic.twitter.com/rTLYHhvmoY
— Edward Snowden (@Snowden) October 6, 2015
Culture clash, part I: the fight over privacy
The court’s decision rests on a completely different vision of privacy from that of the United States. In Europe, privacy is a fundamental right, trumping even free speech. In the US, not so much. We mostly believe what one tech CEO said back in the ‘90s: “You have zero privacy anyway. Get over it.”
As I have previously written, United States law often confuses privacy with secrecy. Even in regular criminal investigations, once private information is shared with anyone, it is no longer protected by the Fourth Amendment right to be secure from unreasonable searches and seizures. So law enforcement can examine your phone records and bank statements without a warrant because you haven’t kept this information completely secret – you’ve shared it with a third party, either the phone company or the bank.
In Europe, if information is personal to you, you have the right to decide how it can be used, even if it has already been collected by Google or Facebook. Just last year, the European court upheld a “right to be forgotten” powerful enough to force search engines to take down links leading to inaccurate or outdated information.
Culture clash, part II: the fight over surveillance
Under Section 702 of the Foreign Intelligence Surveillance Act, the US government can collect the contents of electronic communications, including telephone calls and emails, where the target is reasonably believed to be a non-US person located outside the United States.
Even though these online communications are not technically collected in bulk, hundreds of millions of transactions are intercepted, either through demands made to internet service providers through the Prism program, or through so-called upstream collection, where information is siphoned from the internet’s telecommunications “backbone” over which data travels.
Europe’s concept of individual dignity and privacy cannot happily co-exist with an NSA intelligence-gathering operation on this scale. But which side will give in?
Google and Facebook have warned that NSA surveillance practices could end up breaking the internet if they’re not reformed. The result would be different countries walling off their networks, a trade and innovation disaster.
On the other hand, the European approach might be at odds with the borderless architecture of the internet. As one leading security expert put it, “surveillance is the business model of the internet. We build systems that spy on people in exchange for services. Corporations call it marketing.”
So what happens next?
Ah. I was afraid you might ask that.
Large businesses are operating as usual, only with armies of lawyers behind the scenes redrafting contracts and figuring out next moves. Some are speeding up plans to build European data-storage facilities, even though it’s not clear that geographical siloing of data will really protect against NSA surveillance. The situation is even more daunting for smaller companies, which represent 60% of the users of Safe Harbor. Data service and storage companies working for US multinationals risk being replaced by European companies if data can’t be transferred.
The European Commission has promised new guidance soon, but negotiations between Europe and the United States for a new data transfer pact have been dragging on for two years. Worse, any agreement will have to address the fundamental incompatibility between European and American laws. If US companies pledge to keep data safe, they could find themselves in violation of NSA demands for “compelled assistance,” potentially exposing them to fines as high as $250,000 a day. But if US companies comply with NSA requests for user data, they might be violating Europe’s privacy laws and face fines from their European hosts. So what’s a company to do?
For now, the US Department of Commerce is “continuing to administer the Safe Harbor program, including processing submissions for self-certification.” It does add, however, that companies might want to call a lawyer.
One thing is certain. It’s going to be a legal fees bonanza.