Since last Tuesday’s groundbreaking news that the European Court of Justice has ruled the US’s safe harbor provision invalid, privacy lawyers across the world have been scrambling to advise clients on how to stay within the EU’s strict data protection laws. Once the panic is over, what will be the long term policy implications?
First, a quick recap. Europe’s data protection framework prohibits the transfer of personal data outside of the EU. ‘Safe harbor’ is a European Commission-approved scheme that effectively gives companies who sign up to it an exemption to this prohibition and is used by countless US-based firms to offer their services to the European market.
In the wake of Edward Snowden’s allegations of top internet firms’ cooperation with government surveillance programmes, Austrian privacy activist, Max Schrems, in an effort to expose safe harbour’s weakness, complained to the Irish data protection regulator about US-based Facebook exporting his data. The complaint was turned down, but Schrems appealed to the European Court, who ruled not just against this specific case, but against the whole safe harbour framework.
The implications are potentially huge, although ironically not for Facebook. Like most of the big players, Facebook claims to be unaffected, having made back-up arrangements with the Commission. The biggest impact will be felt by the SMEs, not large enough to employ legions of lawyers, who have been thrown into operational uncertainty and left exposed to fines and investigations if they don’t quickly develop effective workarounds. Eyes are now turning to the US and EU institutions to find a resolution, perhaps by speeding up the development of ‘safe harbour 2’. The confusion that will linger in the meantime will undoubtedly damage the digital economy at large.
Although many were surprised at the ruling, the so-called ‘death of safe harbour’ was in some senses inevitable. There’s an ongoing tension at the heart of data privacy. On the one hand, data is the currency that makes the digital world go round; allowing companies to access our data is part and parcel of using the services we now rely on. On the other hand, consumers have grown distrustful of governments’ and large corporations’ capacity to use and abuse data. Existing data protection provisions, including the 15 year old safe harbour, are under increasing pressure as a consequence.
Safe harbor is also a victim of an old EU political tussle: between the different institutions for power; the tendency for Brussels to go aggressively after Silicon Valley (even at the expense European citizens and businesses); and the fundamental cultural differences in attitude towards privacy in the EU and the US, which hark back to WW2. These are not going to go away anytime soon.
Finding a solution quickly, even if it is just a sticking plaster, is essential for the Commission’s plans for a borderless Digital Single Market, for EU-US trade relations, currently being negotiated through TTIP, and for the prospects of the 1000s of companies who need legal certainty to grow their data-dependent businesses. All in all, it’s a reminder that robust and interoperable privacy laws are the very bedrock of a functioning worldwide digital economy.