What the heck is (or was) Safe Harbor? And why should you care?
Until this week, the Safe Harbor agreement (2000) allowed U.S. companies to transfer and store European citizen personal data to the United States. Because the U.S. does not have a general data protection law, Safe Harbor was needed to bypass strict European rules to protect personal data.
On Tuesday, the European Court of Justice (ECJ) reportedly said that under Safe Harbor “U.S. public authorities could access [that personal] data.” Such access would be a violation of European privacy protection.
“[L]egislation permitting the public authorities to have access on a generalized basis to the content of electronic communications” is facially a violation of the right to privacy under the Charter of Fundamental Rights of the European Union (¶94). – Alex Loomis
The Court ruling came in response to a lawsuit filed by Austrian law student Max Schrems. Schrems used Edward Snowden’s claim that the NSA was carrying out mass surveillance on technology companies to make his argument that Facebook was not providing sufficient protection for Europeans.
— Edward Snowden (@Snowden) October 6, 2015
How big a deal this might be for tech companies seems to be related to who is doing the talking.
As with any decision like this, response ranges from nuanced to sledgehammer. For example, here’s the Information Technology and Innovation Foundation:
Aside from taking an ax to the undersea fiber optic cables connecting Europe to the United States, it is hard to imagine a more disruptive action to trans-Atlantic digital commerce.
For a much more nuanced (and probably precise) view on whether the ruling is a death knell to Safe Harbor, see Megan Graham at Just Security:
[The decision] invalidated a European Commission decision from 2000 that concluded the US’s “Safe Harbor Privacy Principles” provided adequate protections for Europeans’ privacy rights under EU law… [Now the Irish Data Protection Commissioner] must examine Schrems’ allegations with “all due diligence” to decide whether the transfer of data from Facebook’s Irish subsidiary to Facebook’s US servers affords an adequate level of protection of personal data… The opinion also opens the door for other European countries’ data protection commissioners to independently investigate the adequacy of US protections.
Timothy H. Edgar, a law professor and former Obama Administration director of privacy and civil liberties for the White House National Security Staff, describes the scope of the decision with an emphasis on business needs:
Just to be clear about the stakes – the US-EU safe harbor agreement is vital to transatlantic trade, and not just for big technology firms like Facebook and Google. Safe harbor involves over 4,000 companies. The demise of safe harbor may encourage firms to encrypt data stored in the cloud and take some steps to minimize unnecessary transfers of personal data. That is a good thing. Still, in the age of big data, it is unthinkable that the US and Europe can do business without routine transfers of personal data. The global economy depends on a hammering out a new US-EU agreement that allows those transfers to take place – and that will stand up in European courts.
Profit before privacy? That’s not the right equation, according to Renata Avila, global campaign manager at the World Wide Web Foundation:
Without effective safeguards for privacy, the Web as we know it could wither and die. Following today’s ruling, new safeguards must now urgently be put in place that protect the Web as it should be, a secure and private space where people can start businesses, research confidential topics or just chat with friends without the fear of being subjected to unwarranted government snooping.
Jeffrey Chester, executive director of the Center for Digital Democracy, focuses on the need for reforming U.S. law:
There’s a conflict here that can’t be satisfied until the United States passes a privacy law that includes fair information practices and creates clear rules on digital privacy… What’s happened in the past is that U.S. and EU officials were willing to create a deal in order to make commerce flow. Now that’s run headlong into the EU constitution.
What kind of digital data might the U.S. be looking at?
The NSA is able to intercept so many foreign communications, an email sent from Pakistan to Yemen, for instance, because they’re stored on servers on U.S. soil. When it comes to differentiating between messages sent between terror suspects and everyday people, [retired Gen. Michael Hayden, former director of the U.S. National Security Agency] said, “We’re working our way through that dilemma.”
Privacy rights advocates have complained about U.S. spying for a while post-Snowden.
This has been a problem all along, but it took the court to issue a powerful wake-up call to America… The problem is the Federal Trade Commission doesn’t have the legal authority to protect privacy on a level with their regulatory counterparts in Europe. The EU doesn’t really enforce its privacy regimen — the fact is that on paper people have real rights, whereas in the U.S. we’re powerless to do anything against data giants. – Jeffrey Chester
Perhaps Congress can revisit President Obama’s proposed Consumer Privacy Bill of Rights (2012). After all, when “business” is at stake, Rs tend to ramp up in support.
Finally, this decision is not an attack on U.S. tech companies, as some headline writers insist.
Rather, the decision highlights invasive actions taken by the U.S. government.