Safe harbor in the world of international digital data transfer has been a major topic of discussion in the tech world in recent weeks. Since 1998, data transferred from European citizens to American shores by U.S. tech companies have been regulated by the U.S.- EU safe harbor agreement. Under these rules, American companies have been able to make international data transfers if they can self-certify that they can keep the personal data of European citizens secure to the privacy standards of the European Union, which operates a much different data security regime than is implemented in the United States.
These rules have come under the crosshairs of a recent ruling by the European Court of Justice, the EU’s highest court, which has invalidated the safe harbor agreement in light of revelations made by Edward Snowden on the data surveillance tactics of America’s National Security Agency (NSA). Although American tech companies like Facebook (NASDAQ:FB) and Google/Alphabet (NASDAQ:GOOG) argue their own strong principles for personal data privacy and security, the Snowden/NSA revelations have proven to be the source of at least some distrust in the area of international data transfer.
The future of data transfer between the U.S. and the European Union was at the center of an event at the Brookings Institution on Monday, November 16th. The keynote address at the event was made by V?ra Jourová, a commissioner on justice, consumers and gender equality at the European Commission. The day’s discussion mainly focused on the steps that still needed to be taken in order to bridge the EU’s concerns with the ability of tech companies, not just American-based firms, to operate in the continent.
Of course, the day’s discussion was colored by the events of the previous Friday, when Islamic State terrorists carried out an attack on multiple civilian locations in Paris and Saint-Denis. “It sadly reminded us how urgent the implementation of a security agenda is,” Jourová said. Yet the European commissioner noted that, just as the attack targeted the European way of life and the values of tolerance and peaceful coexistence, those values should be defended without giving into fear. A key element of that struggle will involve greater cooperation among criminal justice agencies from the U.S. and the EU, Jourová noted.
The need to agree on a set of standards for trans-Atlantic data flows is therefore very important for criminal justice and commercial interests alike, and commercial interests were of heavy concern during Jourová’s speech. Her main goal for her visit to Washington D.C. was to finalize discussions leading to a framework for regulating the commercial transfer of data between the U.S. and the EU, discussions that Jourová said began with U.S. Secretary of Commerce Penny Pritzker back in January 2014.
Jourová also praised the activity leading to the introduction of H.R. 1428, known as the Judicial Redress Act, to the floor of the U.S. House of Representatives. This bill, which would give foreigners the same ability to seek judicial redress from the U.S. government that American citizens already have, would serve as a step towards the establishment of a framework for rules to replace the invalidated safe harbor agreement. From Jourová’s point of view, passage of this bill would end the de facto discrimination against foreigners put in place by the Privacy Act of 1974 which established a code of fair information practices to be followed by American federal agencies.
Some of Jourová’s comments sought to address certain misunderstandings that have cropped up since the early October decision of the European Court of Justice. First, she stressed the fact that the decision by the EU’s highest courts was not a specific criticism of America’s data privacy regime, even though the case stemmed from concerns over U.S. data surveillance practices. “Rather, the court set a general standard that has to be met by any country to be considered adequate,” Jourová said. Also, general misunderstandings about the differences in America’s data surveillance methods, largely undertaken by the NSA, and the European Union’s data security structure, which involves a fragmented collection of 28 data protection authorities (DPAs), has led to concerns about developing uniform standards. Although the DPAs have the authority to investigate complaints, it is only the highest court in Europe, the European Court of Justice, that can make a decision on the adequacy of data protection. “The judgement does not require the identical reorganization of a judicial system to mimic the European Union, but it needs data safeguards that are globally equivalent to Europe’s,” Jourová said.
That idea of global equivalency in data safeguards continues to be a difficult point that needs to be ironed out ahead of a new regulatory framework to replace safe harbor. Although foreign data privacy practices do not have to mirror those put in place by the EU, they do have to prove “essential equivalence,” however, and that has been difficult to define. While downplaying comparisons of the U.S. and EU’s different data privacy regimes, Jourová stressed that equivalency was necessary in order to re-establish and maintain high levels of trust between the U.S. and EU. “We must define better what is essential equivalence, not pure equivalence,” Jourová said. “Something similar which will bring the same result” of keeping the data of European citizens secure to EU’s data privacy standards.
New rules would put in place a system by which some data surveillance could be justifiable, an important consideration given the ability of terrorist groups to leverage encrypted messaging technologies to coordinate attacks. “There must be a proper balance between the right of privacy and surveillance,” Jourová said. “Interference into privacy must be justified.” Earlier in her speech, however, Jourová also stated that, “Targeted access [of data] can become crucial in the fight against terrorism.” Safeguards to be put in place by new rules should still prevent access and use of personal data on a generalized basis, she said.
Still, there was a great deal of optimism surrounding the idea that the U.S. and EU would be able to work out a new international data transfer agreement. Jourová noted that the U.S. and EU are each other’s most important trading partners, encouraging the political will to develop a solution to the invalidated safe harbor agreement. The clear guidelines from the European Court of Justice’s decision should also help politicians chart a clear course towards an agreement. “We can agree to common approaches of data protection and now repeat it in the world of commercial ventures,” Jourová said.