Jonathan (Josh) Kallmer photo
What Happens to the Internet Without a Safe Harbor in February?

On February 2nd and 3rd, European privacy regulators will meet to decide how to move forward on one of the most important issues to face the transatlantic economic relationship in years: the terms for keeping citizens and businesses connected across the Atlantic. At stake is whether both European and American companies will be able to run their businesses, develop exciting new products and services, create jobs, and support small businesses. The issues demand no less than the focused attention of top policymakers in Europe and the United States, including the heads of state and government.

A situation where a significant portion of the Internet is effectively shuttered is frankly unimaginable. Yet in the absence of leadership on both sides of the Atlantic, including from the leaders of the EU Member States, it may very well come to pass.

In October 2015, the Court of Justice of the European Union (CJEU), Europe’s highest court, ruled that the European Commission had failed to evaluate whether the United States provides appropriate protections for the personal data of EU citizens as companies move data across the Atlantic to run their businesses. As a result, the court’s decision effectively invalidated much of the legal basis for such transfers, which is known as the “Safe Harbor” framework. European data protection authorities (DPAs) will now assess whether the steps taken by EU and U.S. negotiators, since the invalidation of Safe Harbor, to improve protections for EU citizen data pass muster under the court’s judgment.

EU data protection rules require that, for the personal data of EU citizens to be transferred to another country, that country must ensure an “adequate” level of protection. As the CJEU clarified, whether that country’s protections are adequate depends on whether the country’s laws and practices are “essentially equivalent” to EU data protection rules.

On its face, that seems reasonable. The problem is that, when European DPAs evaluate whether the United States provides an “essentially equivalent” level of data protection as the EU, they are apparently not comparing apples to apples. In particular, while they are assessing the entire set of U.S. national security rules and practices, including those concerning government surveillance, they are not also doing so for the corresponding security and surveillance rules and practices of EU Member States.

The DPAs seem to justify this approach on the basis that the EU does not have jurisdiction – or “competence” – to bind EU Member States when it comes to national security. That is both true and irrelevant. Just because the EU cannot legislate or regulate in the area of national security does not mean that it should omit those considerations from its analysis. To do so would make meaningless its evaluation of whether U.S. privacy protections are “essentially equivalent” to those of the EU.

It would also be incorrect. Despite arguments to the contrary, as the Fourth Amendment to the U.S. Constitution attests, privacy is a fundamental right for U.S. citizens, just as it is for EU citizens. Moreover, while U.S. national security practices have been criticized since the Snowden revelations, U.S. law actually contains significant safeguards and judicial oversight for government surveillance activities. That is not necessarily the case for certain EU Member States, which carry out comparable surveillance activities, in many cases without comparable protections against abuse.

This would be no more than an interesting legal debate were the potential consequences not so profound. If the EU and United States do not come to an agreement on “rules of the road” for transatlantic data transfers very soon, companies, small businesses, and citizens will suffer significant and relatively immediate economic damage. Companies in all sectors – not just the tech sector – will find that they lack a legal basis to move data across borders.

European entrepreneurs may be unable to sell their goods and services to U.S. customers. European citizens may be unable to buy insurance or other financial products from U.S. providers. U.S. doctors and other medical professionals that provide diagnostic or therapeutic services to European citizens may not be able to help those patients. And young Europeans who wish to apply to college in the United States may be unable both to purchase test preparation services and apply to schools.

Global tech companies and multinational companies in all sectors strongly support government objectives with respect to both privacy and security. These are core to the trust and confidence on which companies’ relationships with their customers depend. And they respect the heritage of data protection in both Europe and the United States. They have years of experience with moving data in safe, secure ways, and they want to be a part of the solution.

This debate has become charged along national lines, but it is not about nationality. The deep and longstanding economic integration between Europe and the United States belies that notion. Instead, this should be about working together to find a public policy formula for advancing three values that both Europe and the United States share: privacy, security, and innovation. Ultimately, if we fail to do so, the consequences will harm us all.

Public Policy Tags: Forced Localization, Data & Privacy, Trade & Investment, Internet Governance