Over the last few weeks, Net Politics has counted down the top five developments in cyber policy of 2015. Each policy event had its own post, explaining what happened, what it all means, and its impact on cyber policy in 2016. In the last post of this series, Safe Harbor.
Lincoln Davidson is a research associate for Asia Studies at the Council on Foreign Relations.
Looking back in a few years, the invalidation of the Safe Harbor framework governing data transfers from the European Union to the United States may stand as the most significant cyber story of 2015. Not only has it already has had an impact on the thousands of American businesses operating in the EU under the framework, but it also represents something of a turning point in the way privacy is conceptualized and governed transnationally. It may also be a bellwether for the fracturing the global Internet.
More than 4000 U.S. companies operating in Europe have been permitted under a July 2000 decision by the European Commission to transfer the personal data of EU citizens to the United States so long as they agreed to provide an adequate level of privacy protection for that data. Then, in October 2015, the Court of Justice of the European Union (CJEU) ruled that “indiscriminate” surveillance by the United States government endangers that protection by placing “national security, public interest, or law enforcement requirements” over privacy principles. The CJEU invalidated the Safe Harbor agreement and ruled that national data protection authorities in the EU can examine individual companies’ compliance with EU privacy regulations.
While many of the big companies like Microsoft saw the CJEU coming and put agreements in place, many others have scrambled to find workarounds that will allow them to continue to transfer data once the rules become invalid at the end of this month. United States and EU officials have likewise been meeting to negotiate a replacement for the arrangement (discussions that began before the CJEU overturned Safe Harbor 1.0). While they agreed “in principle” about how to address the CJEU’s demands for a new Safe Harbor agreement just weeks after the decision, important questions about compliance and enforcement remain.
Meanwhile, shifting rules back home complicate the picture. In the United States, the House passed a bill in October 2015 that would grant foreign nationals the same rights to judicial redress enjoyed by U.S. citizens if law enforcement violates their privacy. Although the bill has a way to go before it reaches President Obama’s desk, the measure could lay the groundwork for European authorities looking more favorably on U.S. data protections. Also this fall, the European Union passed new data protection rules that make privacy regulations uniform across the European Union.
The proximate reasoning behind the CJEU’s decision to overturn Safe Harbor was the United States’ surveillance practices (despite, as many have pointed out, the CJEU’s failure to adequately review those practices). However, the CJEU’s ruling ultimately rests on an essential difference between the United States’ and European Union’s conceptions of privacy.
While the “fundamental cultural underpinnings” of the relationship between individuals and the state and individuals and corporations may be the same on both sides of the Atlantic—i.e., based on the ideas of Enlightenment thinkers such as John Locke or Immanuel Kant—the directions those principles have led policymakers in the United States and the European Union are very different. The United States has a web of privacy protections and enforcement authorities that stretches across economic sectors and between the state and federal levels. Europe has taken a more centralized approach to privacy regulation, favoring omnibus privacy policies as exemplified by the soon to be updated data protection directive and a single point of contact for oversight.The United States prioritizes economic competitiveness and innovation over privacy and the European Union seems to do the reverse.
The gap between the United States and Europe over privacy is large but not insurmountable. Companies will find it in their interest to ensure data keeps flowing across borders; as we’ve already seen since the Safe Harbor arrangement was repealed, they will be willing to expend significant resources to ensure those flows don’t stop. Regulate just a bit, and small firms and startups may be forced out of the market due to heavy compliance costs; regulate a lot, and you risk fracturing the global Internet. This year, policymakers on both sides of the Atlantic have a shared interest in a workable compromise that prevents either of these two outcomes.