The new Safe Harbour ruling has shown the difficulties in adapting existing legal rules to the globalised, digital era. Online privacy legislation is clashing with modern business models, while European regulators are struggling to balance citizen rights with the desire to boost the competitiveness of the tech industry.
If someone were asked to guess which issue has generated the fiercest debate in Brussels in the recent months, the European Court of Justice (ECJ) Safe Harbour ruling should be the answer. Brussels has not stopped talking about it since the 6th October. Safe Harbour, which echoes a secure environment, no longer fits with the legal uncertainty and insecurity that the ruling has generated.
The ECJ ruled that the transatlantic Safe Harbour agreement, which allows American companies to use a single standard for consumer privacy and data transfer of private information between the EU and the US, is invalid.
With its ruling the ECJ has considerably challenged, if not disrupted this framework put in place to ease Trans-Atlantic information sharing, deeming it inadequate, especially in light of the surveillance allegations and scandals by USA intelligence services (including the NSA).
The upshot of the ruling is that there are now only limited pan-EU rules on data flow from Europe to the USA.
The ECJ has caused quite a stir in the tech world with its recent judgment. Tech companies, big and small, are scrambling to see what data they process and where it is transferred. Most multinationals are now legally obliged to suspend any transfer of its customers’ data to the USA and move their data storage and operations to an EU subsidiary.
Has anyone also quantified the economic implications of a real stop of data transfer between the EU and the USA? A power-generated black out is the best example I can think of.
The European Commission has therefore been put in a tough position. While it has to support the ruling by the European Court of Justice and guarantee citizens’ privacy, it had evoked the ire of the ICT industry. Trade and business associations are lobbying for a pragmatic solution namely via a transition period that would legalise the current Trans-Atlantic data flows.
The Commission has also promised guidelines for companies and data processors by early November and is working together with the national authorities to prevent fragmentation. But industry fears that this will not prevent headaches, stress and costs. A German data protection authority, for instance, has already warned it would fine non-compliant companies severely.
Meanwhile, Europe and the USA have also been negotiating a renewed Safe Harbour agreement. The ruling comes in the midst of these talks and will be an extra source of pressure. However, little can be done to accommodate the ruling unless America agrees to suspend its surveillance mechanisms on EU citizen data, which would be a very big ask.
In summary, the new Safe Harbour ruling has shown the difficulties in adapting existing legal rules to the globalised, digital era. Online privacy legislation is clashing with modern business models, while European regulators try to balance citizen rights with the desire to boost its tech industry and remain competitive. It’s a fierce storm with no lighthouse in sight.
Protectionist policies, such as recently adopted German retrictions on public sector cloud use, can ultimately translate into a threat for the open and global structure of the Internet, argues Daniel Castro, Vice President of the Information Technology and Innovation Foundation and Director of the Center for Data Innovation
The Digital Post: Newly adopted German rules for government cloud computing means official data can only be processed in Germany. What is your opinion?
Daniel Castro: This is an unfortunate development, both for Germany and for others. First, countries like Germany should be an ally in support of free trade, and by enacting these types of non-tariff barriers to trade it gives cover to other countries who want to enact protectionist measures.
Second, by restricting access to foreign cloud providers, Germany is “cutting off its nose to spite its face.” Germany organizations benefit from having access to the best cloud providers, and many of these are foreign companies. This will raise costs and decrease productivity for affected organizations.
Third, there is little real benefit in terms of privacy and security to storing data within the country versus abroad. Countries should be working to clarify any distinctions. This is one reason my think tank has called for a “Geneva Convention on the Status of Data” to determine when government agencies can lawfully request access to data.
Most developed countries should be able to agree to common standards and abide by them. The end goal should be a data free trade zone that extends globally.
The Digital Post: Ever since the Snowden revelations came out, German PM Angela Merkel has been advocating for a separate European communication network/infrastructure. What might be the implications of such project, if it ever is implemented?
Daniel Castro: United States and Europe are allies on many issues, and it would be counterproductive to build separate infrastructure rather than working together towards a common goal.
Neither wants the other to spy on them, so they should be able to come to terms to upgrade the infrastructure we already share.
The greater threat to both U.S. and German interests are from China, so there is an opportunity to put aside past issues and come together to confront a looming issue.
The Digital Post: You often speak about the rise of “data nationalism” across the world. What is this phenomenon about?
Daniel Castro: Many countries are trying to pass laws and regulations to keep data within their borders, such as by requiring data to be processed locally. One reason countries are doing this is because they believe it will help create jobs, such as construction jobs for data centers.
But the net impact is very negative, as it raises the cost of doing business for the rest of the economy, and many businesses are increasingly dependent on cloud infrastructure. Moreover, some rules limit cross-border data flows which means a multinational company will run into serious issues as it tries to operate on a global scale.
The Digital Post: Is data nationalism a threat to the current structure and functioning of the Internet? Why?
Daniel Castro: Yes. The primary benefit of the Internet is that it is a global, open network available to all. Protectionist policies can chip away at this ideal until we are eventually left with a series of disjointed national or regional Internets.
Policymakers should be very concerned about overreacting to short-term fears about data privacy at the expense of damaging the potential growth of data-driven innovation in the Internet economy.