Unsafe harbor
A few days ago, the EU Court of Justice ruled (PDF), as the advocate-general recommended two weeks ago, that the Safe Harbor deal negotiated in 2000 is invalid. Safe Harbor was needed for a simple reason: under the 1998 EU Data Protection Directive it's illegal to transfer personal data to countries that do not have adequate protections in place. We're looking at you, United States - which, as Marc Rotenberg, director of the Electronic Privacy Information Center, will remind you, actually led the world in privacy legislation back in the 1970s.
The up-ending of Safe Harbor has been generally welcomed by privacy and human rights advocates: Trand Atlantic Consumer Dialogue, European Digital Rights, Bureau Européen des Unions de Consommateurs (PDF), and EPIC. Open source advocate Simon Phipps helpfully highlights key parts of the decision.
ORG in particular notes that this decision, in conjunction with the April 2014 data retention decision, leads in the direction of requiring targeted surveillance and independent access ratyher than indiscriminate, bulk collection. Privacy International places the blame squarely on the US itself, arguing that the decision puts the onus on the US to change its laws to join the modern world, calling the Safe Harbor agreement a "pretense".
And quite right. The reality - and Austrian law student Max Schrems' point in bringing the case in the first place - is that US law, specifically the Foreign Intelligence Surveillance Act and its 2008 Amendment, requires US companies and their subsidiaries to comply with government access requests no matter where the data is located. The late independent privacy advocate Caspar Bowden was first to point out, months before Edward Snowden's revelations of the NSA's PRISM program made plain the extent to which the US intelligence agencies are in fact violating the privacy protections that Safe Harbor was created to guarantee.
A blog posting I now can't find suggested that at last the US is being faced with real economic damage from the NSA's actions. This is just a optimistic as some companies' belief chatter that the estimated 4,000-plus companies currently using Safe Harbor can continue in business as usual via contract law. The reality is that no contract can supersede a US company's obligations under the law to turn over data nor can it supersede the EU's requirements for data protections. Hard rock, meet immovable place.
So what does happen now? At a press conference a couple of days ago, the Justice and Home Affairs commissioner, Vera Jourová, talked optimistically about renegotiating with the US to create a new agreement that will offer the protection Safe Harbor did not. She also stressed the Commission's commitment to finding a solution that allows data transfers to the US to continue. We'll call this plan Safer Harbor.
In the meantime, she said, data protection law does allow some exceptions that will allow transfers to continue:
- In performance of a contract such as a hotel booking;
- On important public interest grounds such as law enforcement cooperation in fighting fraud or cartels;
- The data subject's own vital interest, such as medical records to help in urgent life or death situations;
- The free and informed consent of the individual.
So, the most likely: businesses such as Facebook and Google that rely on "the free flow of data" will probably start thinking up contingency plans, but for the moment will proceed as per usual, while arguing that the CJEU ruling threatens the free and open internet. EU - and especially UK - politicians will try to come up with patches that change as little as possible. There will probably have to be more court challenges. Another look will have to be taken at the data protection reform package, which has been in negotiation for some years now. One clause would require European companies to tell their relevant data protection authorities if they are being compelled to turn over data - even if they have been forbidden to disclose this under US law. Sounds nice, but doesn't mobilize the rock or soften the hard place, since companies will still have to pick a law to violate. I imagine the internal discussions there revolving around two questions: which violation is less likely to land the CEO in jail and which set of fines can we afford?
Behind the scenes, the big data companies will continue to lobby for trade agreements such as TTIP and TTP to include provisions that require nations and regions to get rid of interference such as data protection laws.
Other options:
- Encrypt the data and give they key to an independent party under contract not to surrender it, unlikely because it won't end the originating company's liability;
- Reorganize IT systems to opt for local storage, deeply difficult for a company like Facebook;
- Expatriation, whereby companies remove themselves from the US and spin out their US operations.
Or the US can, as Privacy International suggests, change its laws to become more like those of the rest of the world. There is a glimmer of hope in that direction: California's new privacy law. But the big sticking point for EU courts is and will continue to be companies' obligations under FISAA coupled. Impasse.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.