A European Union court ruling invalidating a set of cross-Atlantic data handling has emboldened privacy advocates who have long questioned whether U.S. companies adequately protect their European customers’ information.
In early October, the Court of Justice of the European Union (CJEU), citing large-scale U.S. government surveillance programs, struck down the 15-year-old Safe Harbor Framework, a set of rules that allow U.S. companies to import European personal data while certifying that they comply with strict EU privacy regulations. The rules expire at the end of January.
U.S. and European negotiators, intent on preserving an estimated $1 trillion in annual trade across the Atlantic, are now scrambling to develop new guidelines. More than 4,000 U.S. businesses using the Safe Harbor Framework are worrying whether they can still import the personal data of European customers. And privacy advocates are pushing for stronger privacy laws in the United States.
“The aim must be to find a long-term solution to the underlying privacy issues, not a quick fix like Safe Harbor originally was.” — David Martin, senior legal officer, European Consumer Organization
The ruling prompted “a moment of truth,” said Jeffrey Chester, executive director of U.S. privacy group the Center for Digital Democracy. “The companies had it easy. The Safe Harbor deal was always a joke. Nobody believed it worked.”
Less than three weeks after the court ruling, EU officials announced an agreement in principle with the United States on a so-called Safe Harbor 2.0. But privacy advocates on both sides of the Atlantic aren’t convinced that it would be effective. They are maintaining pressure on government officials, said David Martin, senior legal officer at the Brussels, Belgium-based European Consumer Organization (BEUC).
“Any new framework that is put in place to facilitate data transfers between the EU and U.S. needs to ensure full respect of fundamental rights and EU data protection legislation,” Martin said. “The aim must be to find a long-term solution to the underlying privacy issues, not a quick fix like Safe Harbor originally was.”
While the EU recognizes privacy as a fundamental human right, he said, the United States has few laws protecting the privacy of its residents. Some U.S. regulations protect financial and medical information, but the United States has no law governing the collection of most personal data.
“I personally do not see how a new Safe Harbor could meet the requirements set by the ruling of the European Court of Justice,” Martin said, “unless the U.S. introduces privacy legislation that provides a level of protection that is essentially equivalent to the one granted in EU legislation.”
U.S. privacy laws “aren’t as strong as they could be,” — Rep. Joe Barton (R-TX)
Even if the Europeans wanted to approve a deal to keep personal data flowing between the EU and United States, Chester of CDD said, they “certainly can’t trade away their fundamental right for merely empty promises.”
The tension between EU and U.S. privacy laws was a hotly debated topic at the International Privacy Conference in Amsterdam in late October. When a group of privacy advocates and academics presented a paper focused on ways to “bridge” the gaps between EU and U.S. data protection rules, a competing group of more than 30 privacy and consumer groups blasted the report, calling it “remarkably out of touch with the current legal reality.”
The paper’s recommendations “would do little to change the business or government behavior that threatens privacy and data protection,” said the privacy groups, including Chester’s CDD and Martin’s BEUC.
In a more recent hearing before two U.S. House of Representatives subcommittees, several lawmakers—along with representatives of the U.S. Chamber of Commerce and software trade group BSA—called on U.S. and EU negotiators to quickly approve a new Safe Harbor agreement. Other lawmakers called for Congress to pass strong privacy laws.
U.S. privacy laws “aren’t as strong as they could be,” said Rep. Joe Barton, a Texas Republican.
A new Safe Harbor agreement could fix some of the objections, if there’s agreement on law enforcement access to private data, said Lisa Sotto, a privacy lawyer at Hunton & Williams in New York. But other privacy advocates may continue to fight against it.
“The big question in my mind is whether any version of Safe Harbor will be good enough” for some Europeans, she said. “It’s such a mess. This is so highly politicized.”