Europe Has to Rebuild Its Safe Harbor
The court that upset balance.
More than a week after the European Court of Justice pulled the rug from under trans-Atlantic e-commerce, U.S. companies remain confused about how to keep operating in Europe. Data-protection authorities meeting in Brussels offered little clarification beyond reminding the European Union and the U.S. of what's already obvious: A new e-commerce framework needs to be worked out as soon as possible.
The court's landmark ruling earlier this month, which said the data of Europeans is unsafe from U.S. government surveillance, was initially hailed by supporters as a victory for human rights and privacy. But it advances neither.
The ECJ invalidated a 15-year-old agreement known as Safe Harbor, which was an attempt to bridge differing approaches to data protection in Europe and the U.S. Under the deal, companies that transferred data to the U.S. pledged to abide by certain principles -- the need to notify people when their data was transferred, for example, and the need to keep that data secure. EU institutions and member states had been pushing back against the pact ever since the Edward Snowden revelations. In late 2013, the European Commission made 13 recommendations for revising Safe Harbor, including two opposed by the U.S. that were meant to address the national security exception. The ECJ decision has made that conversation much harder.
The court ruled that generalized surveillance and the storage of EU citizens' data in the U.S. are not compatible with the right to respect for private life under the EU Charter of Fundamental Rights. The court said U.S. data policies go "beyond what was strictly necessary and proportionate" for national security, and that Safe Harbor failed to provide Europeans with any legal remedy if they were unable to access or delete their data.
While the Googles and Amazons of the world have the money and legal counsel it takes to comply with the ruling and stay in business in Europe, thousands of other companies will suddenly find it harder to deliver services to customers and manage global supply chains. Many cloud-computing companies have relied on Safe Harbor for data transfers involving e-mail, payroll and customer-relationship systems. There are workarounds for data transfers from the EU -- including so-called model contracts -- but they are more cumbersome and they too may be subject to legal challenge.
The loss of this arrangement will impose an enormous cost on productivity and trade -- amounting to as much as 1.3 percent of EU gross domestic product, according to the American Chamber of Commerce to the European Union.
For all that, the decision won't do much to protect EU citizens from American surveillance. Any information the National Security Agency obtains from data flowing into the U.S. is already subject to strict legal reviews and limitations. But far fewer restrictions are in place when it comes to conducting surveillance overseas; by encouraging companies to store more consumer data in Europe, the ECJ judgment may end up making surveillance easier.
Meanwhile, the surveillance programs of some European countries have grown more robust. Snowden himself referred to a "European bazaar" in data collection, where intelligence services in France, Germany, Italy, Sweden, the Netherlands and other countries collect data and swap information. France strengthened the monitoring of digital communications without judicial oversight and, after the Charlie Hebdo attack, approved broad new surveillance powers.
The European court's ruling upset a delicate balance that had been struck between the EU and the U.S. on data transfers and exposes deep disagreement on how to balance the needs of commerce, the rights of consumers and the exigencies of national security. In the digital age, there's no such thing as the technological sovereignty that Europe seeks, no such thing as perfectly ring-fenced privacy.
To clear the fog that threatens trade, Brussels and Washington must now make fast progress on a new Safe Harbor pact, ideally one that gives companies the same ease of use that the old one provided.
To contact the senior editor responsible for Bloomberg View’s editorials: David Shipley at firstname.lastname@example.org.